Pop ups gone wild

Hey all -

I've been helping my friend try and fix his computer that has been being bombarded with popups every time he connects to the Internet. I went through all of the steps in the sticky notes here in the spyware forum and by doing those I found a trojam virus and homepage hacker (ouch!). I was able to get rid of those but next time we connected his computer to the Internet a ton of popups came back. So, I ran HijackThis again and I do not see anything wrong.

I don't want to post the log here because it says not to post it unless it's asked for. But I do have it and I will post it if you think you could help. We've run several virus checkers on his computer and they're not finding anything.

Any suggestions?

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Edit:

Got beat to it

*Bows down*

gl hf

 

I already went through the thread about help with using HJT. That's where I got stuck. Here's the log just as you asked for.

 

Your Operating System and Internet Explorer versions are WAY out of date and represent a major security risk. After we fix your current problems, you must get updated. You need to install Service Pack 2 for security purposes.


Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.


After you have relocated HJT, procede with the following online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you have completed the online scans, reboot and post a fresh HJT log.

 

Alright, finally ran all those virus checkers and it appears that it's not getting anymore popups. However, things are not always as they appear so I thought that I better post the log anyways.

If it's all good let me know.

And thanks for your help.

 

Again, I will point out that the Operating System and Internet Explorer versions are WAY out of date and represent a major security risk. After we fix the current problems, your friend must get updated. You need to install Service Pack 2 for security purposes.


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemks32.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: Win32 Classes -

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\windows\system32\elitemks32.exe <-- Look for more files starting with elite and ending with .exe! There could be as many as 10 more, delete all thats found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Cool. I'll post a log as I can. My friend has gone on vacation for memorial day and won't be back till monday so I'll post a new log the beginning of next week!

 

Okay!

 

New log....here you go....

 

Now scan with HijackThis and Check the Boxes for the following:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

After you complete the above, the HJT log will be clean! For it to remain clean you MUST get to windows updates and install Service Pack 2.

 

Sweet! Thank you! Thank you! You've helped so much! Thanks!!! http://forums.majorgeeks.com/images/smilies/biggrin.gif

 

Your Welcome!

You should check out this article on How to Protect yourself from malware!