Popup & System Problems

You said nothing about running the READ ME FIRST sticky so I'm assuming it was not run.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below exactly as written:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Do you know what the below is?
C:\Program Files\amta\wasl.exe
O4 - HKCU\..\Run: [Urni] C:\Program Files\amta\wasl.exe

Is it some kind of WinAmp plugin? If not, you should added it to the list of processes below to kill and you should add the O4 line to the list of lines to fix with HJT. And then add the C:\Program Files\amta folder to the list of items to delete in safe mode.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Look in Add/Remove programs for SurfSideKick 3 and uninstall if found.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\t?skmgr.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\System32\m190309.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Ors] C:\WINDOWS\System32\t?skmgr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/tradewinds/install.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.47/ttinst.cab
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\wdapi.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SurfSideKick 3 <--- the whole folder
C:\WINDOWS\System32\vidctrl <--- the whole folder
C:\WINDOWS\System32\E6F1873B.DLL or C:\WINDOWS\E6F1873B.DLL
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\m190309.EXE
C:\WINDOWS\System32\AUNPS2.DLL or C:\WINDOWS\AUNPS2.DLL
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\t?skmgr.exe <--- do not delete taskmgr.exe. Look for another similarly named file (probably a few 200k to 400k bytes in size.) The ? may or may not show exactly this way. If you are not sure, don't delete it.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

BJ is correct!

No I did not say re-install. I was just reminding you what Ccleaner is. It is a program downloaded while running the READ ME FIRST. Many people forget and ask "what is Ccleaner"?

And yes all files in the Prefetch folder can always be deleted. Good ones will come back as necessary.

 

You are clicking the wrong Back button. Click the one on the lower right of the screen so you get back to the true Scan window. Now you can click Scan. Start the procedure at the beginning to make sure nothing as started up again.

 

Delete the cfgmgr52 file too.

You forgot to do the last step of my instructions:

Do not install Win XP SP2 until we have verified you are clean by looking at the log.

 

In message # 4 I asked the below but you did not answer the question. Please answer because this seems supicious.

You still have some problems that I asked you to fix in message # 4. We will cover them again.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\vidctrl\vidctrl.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\System32\m190309.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe

Also fix the below wasl.exe line if you did not know what it was.
O4 - HKCU\..\Run: [Urni] C:\Program Files\amta\wasl.exe

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\nsvsvc <--- the whole folder
C:\WINDOWS\System32\vidctrl <--- the whole folder
C:\Program Files\amta <--- delete the folde if you decided it was an unknown
C:\WINDOWS\System32\m190309.EXE

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Make sure you tell me if you cannot find any of these files or folder. Also tell me if you find them but cannot delete them.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and continue with the steps below. You have a Look2Me VX2 infection we need to fix.

Download this: L2MeFix Tool

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool (I had you download above) to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad.

Do not run any other files in the L2MFix folder.


When it finishes, get a new HJT log and then reconnect to the internet.

Post the log from L2MeFix and the new HJT log as attachments.

Let me know how things look now.

 

Please do not post the logs as Word Documents. They are in text format to begin with. Keep them that way. Word Docs are annoying and too big. You will find that sometimes they are even too big to post.

 

You still show many of the same problems in your HJT log. Are you sure you are clicking fix? Are you getting any error messages?

 

Download Pocket KillBox but do not run it yet.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\System32\m190309.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

After clicking Fix, exit HJT.

Now please extract the files from the Pocket KillBox download into its own folder and run killbox.exe

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.
C:\Windows\System32\Program\BackWeb-8876480.exe <--- I'm not sure what the full path to this file is??? If you know, then use what you know.
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\m190309.EXE

After entering the last file, say YES and allow your PC to reboot. If you get a Pending Files operation error or for any other reason it fails to reboot, just reboot it yourself.

After reboot post a new HJT log and tell me how the above steps went.

 

The logs files need to be obtained after you fix what I give you to fix. Notice the end of message #4. A new HJT log is supposed to be obtained and post after all the above steps had been followed. The same goes for message # 18. You run HJT to fix everything then you exit HJT and run Killbox to delete files. After that you are rebooting and getting a NEW HJT log to post.

 

Okay your log is now clean of malware. How are things working?

 

You may want to uninstall Norton, reboot, and then reinstall to see if it fixes the problem.

To help keep your PC clean, run the steps in the below thread. The first step in that thread you will see is to goto Windows Update:

How to Protect yourself from malware!