Pop-ups Nightmare, DriveCleaner and Errorprotector Advertising Messages

I am going nuts! I have been getting pop-ups even if I am not connected to the internet. This includes random "internet explorer like" messages leading to buy DriveCleaner and Errorprotector . It's been 3 days trying different forums and spyware removal tools without success . Any help is appreciated! Here is my HJT Log:

~ INLINE HJT LOG REMOVED ~ SPD
Read Me First not run, HijackThis installed improperly

 

Welcome to MajorGeeks.com!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy
• AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

 

I tried everything there and here is the new log:


~ INLINE LOG REMOVED ~ SPD
No, you didn't. Otherwise your log would show that you ran the programs required by our Read Me First.

 

If you followed our directions then you would not be posting logs inline. They are to be posted as attachments.

HijackThis is not a malware removal tool it is simply a scanner, that scans certain registry keys for browser Hijacks. Because of this it sometimes shows other forms of malware. However, HijackThis does not scan all the registry keys that can be used by malware. This is why we REQUIRE you to complete the Read Me First and post all 6 logs.

 

I apologize for my misuse of the thread before. I had run some of the tools you mention on the "Read this First Section" but surely not in the way you have it. Anyways, now that I followed your steps "one by one" Sorry to say that the worm still in the house Thank you for taking the time to do a follow up and here are my first 3 attachments and 2 more to come next.

 

Here are the other 2 files you request on your "Read this First" Section. Plus, I also tried one of your sticky threads on the "Special Removal Procedures" Section. Here you go:

 

Forgot this one

 

Download
- Pocket Killbox

Using Add or Remove Programs in the Control Panel; uninstall the following:

<< Install Java Runtime Environment (JRE) 6 available from Sun Microsystems. >>

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Download Blacklight Beta from here:
http://www.majorgeeks.com/F-Secure_BlackLight_d5156.html

* Download blbeta.exe and save it to the Desktop.
* Once saved... double click blbeta.exe to install the program.
* Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
* If it displays any items...don't do anything with them yet. Just hit exit (close)
* It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log along with a fresh HijackThis log.

 

Here are the new logs. But pop-ups still come back along with the DriveCleaner ads.

 

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

 

Here is the log. Thank you for being so patient.

 

Everything is coming back clean, no sign of DriveCleaner in any of the logs.

Install and run AVG Anti-Spyware from our Read Me First and attach the log.

 

Here is the new log report from AVG Spyware and this @#4%* worm sends its best in the form of screen shots of my nightmare.

 

For some reason site does not let me attach the AVG Antispyware log. Error message says file has already been attached to this thread and I can see it on #9. I tried changing the file name, but no luck. PS: Forgot to mention that when I run Killbox from #8, I got the error message "PendingFileRenameOperations". Just in case, since it is a short log and although is not correct, here is the copy and paste from log:
12/25/06 18:13:34 [Info]: BlackLight Engine 1.0.47 initialized
12/25/06 18:13:34 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/25/06 18:13:34 [Note]: 7019 4
12/25/06 18:13:34 [Note]: 7005 0
12/25/06 18:13:38 [Note]: 7006 0
12/25/06 18:13:38 [Note]: 7011 1872
12/25/06 18:13:38 [Note]: 7026 0
12/25/06 18:13:38 [Note]: 7026 0
12/25/06 18:13:45 [Note]: FSRAW library version 1.7.1020
12/25/06 18:44:44 [Note]: 7007 0

 

Just add a blank line to the end of teh log and attach it.

 

Ok, Let's try this again.

 

That was a log from BlackLight. Run AVG Anti-Spyware and attach a fresh log.

I want to use a different RootKit scanner. Follow the directions for Using Sophos Anti-Rootkit.

 

Here are the fresh logs. Thank you again.

 

run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Follow the directions for Running Hoster

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Download new copies of GetRunKey and ShowNew.

Post fresh HijackThis, GetRunKey and ShowNew logs.

 

Thank you for coming back! Hope you enjoyed your X-mas. Here are the new logs

 

All your logs are clean.

Are you still getting DriveCleaner pop-ups?

 

Sorry about the delay. I was out of town, but I came back today. My PC is always on and when I came back I had 103 pop-ups. How is that? Should I just give up and format the HD and reinstall windows? Thanks for your help.

 

Pop-ups are gone. I don't know if all the steps taken on the prior posts took care of it, but I decided to delete the user Hp-Administrator (the only user or default user when I bought the PC) and create a new user for me, and I haven't seen pop-ups or ads for the past 2 days. Thank you for your assistance.

 

Things are working now, and that's all that really matter. Glad we could be of some help.