Pop-Ups just keep coming

You must follow all the steps properly. Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

.

 

See Step 5 - at least two of the online scanners must be run and if you run Panda the log should be attached.
See Step 7! HijackThis procedure not followed because if it was, you would not have HijackThis installed improperly.

 

You have a bunch of trojans! I would think that some of the scanners should be detecting them.

Note: you are also going to need to run the below steps so that we can work up a manual procedure to fix one of the nasties you have.

First, please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments. That will require two messages.

 

After you correctly install HijackThis continue with the below. Note that I'm posting based on your previous log to help keep you moving along; however, somethings could have changed. Also I really need the output from the tools in my last message to complete the fix. So at least one item (the one saying O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ls4skp.exe reg_run ) will return and will probably have a new filename.

Complete these steps anyway! It will get us alot closer.

Look in Add/Remove programs for the below and uninstall if found:
CMAPP or CMAPP Client
FCEngine
If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\211C1D222728202.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [vFsi3mT] dmlin.exe
O4 - HKLM\..\Run: [rqten] C:\WINDOWS\rqten.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ls4skp.exe reg_run
O4 - HKLM\..\Run: [qiklenc] C:\WINDOWS\qiklenc.EXE
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [fvyptpt] C:\WINDOWS\system32\ctswdmk.exe r
O4 - HKLM\..\Run: [4A45464B5051494C5] 211C1D222728202.exe
O4 - HKCU\..\Run: [eo3sRgf2e] dmcinet.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [FCEngine] "C:\Program Files\FCEngine\FCEngine.exe"

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\dmlin.exe
C:\WINDOWS\rqten.exe
C:\WINDOWS\system32\ls4skp.exe
C:\WINDOWS\qiklenc.EXE
C:\WINDOWS\dinst.exe
C:\WINDOWS\system32\ctswdmk.exe
C:\WINDOWS\system32\211C1D222728202.exe
C:\WINDOWS\system32\dmcinet.exe
C:\Program Files\CMAPP <--- the whole folder
C:\Program Files\FCEngine <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working. DO NOT REBOOT or power down at this point or the infection may mutate. Wait for the next fix to be posted.

 

Okay! It does take awhile to run all these scans but the end result is we find the bad guys and then we can remove them!

 

Did you forget to run Ccleaner? I see stuff showing in temp folders I would have expected it to delete. Also I see some stuff in the Recycle Bin.

Empty the Recycle Bin for each user account. Also run Ccleaner on each user account. In the meantime I'll look at the other logs.

 

Make sure you login to each user account! And run Ccleaner and empty the Recycle Bin on each account. Do that now.

 

Now make sure viewing of hidden and system files is still enabled and run Windows Explorer. Locate and delete any of the below that still remain after using Ccleaner and empty the Recycle bin in my previous message.

C:\Program Files\nrpn <--- the whole folder
C:\Documents and Settings\Nate\Local Settings\Temp\!update.exe
C:\Documents and Settings\Nate\Local Settings\Temp\ExtractDLL.dll
C:\Documents and Settings\Nate\Local Settings\Temporary Internet Files\Content.IE5\IMWO4KIJ\!update-2795[1].0000
C:\Documents and Settings\Nate\Local Settings\Temporary Internet Files\Content.IE5\KCFNHJXZ\JFM1[1].htm
C:\WINDOWS\msbb.exe.temp
C:\WINDOWS\sepsd.bin
C:\WINDOWS\sqldata1.exe
C:\WINDOWS\switpc.dat
C:\WINDOWS\woinstall.exe
C:\WINDOWS\mtuninst.exe
C:\WINDOWS\SYSTEM32\211C1D222728202.exe
C:\WINDOWS\SYSTEM32\6TO4SVC3.exe
C:\WINDOWS\SYSTEM32\bho.dll
C:\WINDOWS\SYSTEM32\dsktrf1.dll
C:\WINDOWS\SYSTEM32\hotbod123121.ico
C:\WINDOWS\SYSTEM32\lbkyhm.dll
C:\WINDOWS\SYSTEM32\pdrpdb.dll
C:\WINDOWS\SYSTEM32\uninst.exe
C:\WINDOWS\SYSTEM32\VBUninstall.exe
C:\WINDOWS\Temp\~640117.tmp
C:\WINDOWS\Temp\~701145.tmp

Afterwards reboot and let me know the results. Also tell me how things are working now.

 

You're welcome! Make sure you work thru the below tomorrow to help keep you safe:

How to Protect yourself from malware!