Pop-ups, viruses and search bar changes

Make sure you follow the directions below and then post your HJT log:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {99BCEBF1-0A49-BBD2-B23E-74E308E59C59} - C:\PROGRA~1\MOREST~1\Five blue.exe (file missing)
O4 - HKLM\..\Run: [Book mail anti does] C:\Documents and Settings\All Users\Application Data\vc regs book mail\fordsect.exe


The below item (StopSign) should be uninstalled. See this: http://www.spywarewarrior.com/rogue_anti-spyware.htm#ss_note
O4 - HKLM\..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k


Also fix the below left over items from BitDefender.
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\MOREST~1\Five blue.exe
C:\Documents and Settings\All Users\Application Data\vc regs book mail\fordsect.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You forgot the log. I need to see if first but, does SpywareGuard give you more info?

Those folders in C:\windows are valid. They are from your Windows updates.

 

You need to disable Spybot's Teatimer and disable SpywareGuard's protection or uninstall it while we fix this problem.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!

Then reboot and tell me where things stand.

 

Are you having any malware related problems right now?

Post a current HJT log from normal boot mode.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Part of your problem looks like a LOP infection. Print of copy these instructions because I'm going to have you kill ALL Internet Explorer sessions (iexplore.exe) in the next step using HijackThis.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
The below items are the same program even though they look slightly different. Kill any processes you see that have iexplore.exe in them. DO NOT kill explorer.exe.
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ytftttbrmkjlfusatpqemb.com/s/EGFwEkIu_BQf3M7jHwGIlyPQdF1fP5go0Nkq/a1V/9B6aMcR/KaxFkRmUNyXOv.htm
O4 - HKCU\..\Run: [1 Amen] C:\DOCUME~1\Damian\APPLIC~1\FRAGSI~1\Dumbgrim.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Doucments and Settings\Damian\APPLIC~1\FRAGSI~1 <--- Delete the whole folder. This is an abbreviated path. You must look to determine the full path. For example APPLIC~1 is probably Application Data.


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Run my fixes and we shall see. If CounterSpy pops up when you try to make my fixes, just say yes to allow the changes to proceed.

 

But you still have an R1 line. Try fixing it with HJT now:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jygogpsizgeflocv.com/s/EGFwEkIu_BQf3M7jHwGIlyPQdF1fP5go0Nkq/a1V/SotKf5s57pxFkRmUNyXOv.htm


Make sure something like it does not come back. Also do the below:

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! Looks good now. To help keep you clean, check out the below thread:

How to Protect yourself from malware!

 

You're welcome. Surf safely!