spyware hell

i ran all of the programs asked in the sticky thread and my panda scan went from over 300 objects found (9 dialars, 270+ spyware, and over 9 viruses) to 52 or so spyware, so cant be in to much trouble anymore...right?, but still havin pop-ups posting logs now, any help apprectiated tyvm

 

Welcome to MajorGeeks.com!

Please see the below thread on how to install and run Ewido Anti-Malware.

• Running Ewido Anti-Malware...

 

ok ran ewido and it found like 76 things and said it cleaned them all, and have a fresh hjt log attached

 

Please look in Add/Remove Programs for the following and uninstall them if found:

Ewido

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo .com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: (no name) - {F0823EF5-3999-8431-AEB7-204B4D64D334} - C:\DOCUME~1\CHRISP~1\APPLIC~1\bluebook\Cake Ref.exe (file missing)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O15 - Trusted Zone: webauth.comcast.mail
O15 - Trusted Zone: mailcenter.comcast.net
O15 - Trusted Zone: mailcenter2.comcast.net
O15 - Trusted Zone: www.comcast.net
O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: game1.pogo.com
O15 - Trusted Zone: http://game1.pogo.com
O15 - Trusted Zone: play.pogo.com
O15 - Trusted Zone: www.pogo.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\1024 ← Delete this whole folder if it exist!

C:\Documents and Settings\Chris Purcell\Favorites\Adult ← Delete this whole folder if it exist!

C:\WINDOWS\system32\ldBB16.tmp

C:\Documents and Settings\Chris Purcell\Favorites\Antivirus Test Online.url

Next, run CCleaner to clean up cookies and temp files.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

ok back from work, and have followed all the steps. have the hjt log attached, and on my way here still had pop-ups. if theres anything else ya'd like just let me know, thanks again for helpin

 

What are the pop-ups of? Just random stuff?

Let's dig a little deeper and see what we cane find. See the below thread on how to run WinPfind and attach the log.

• Running WinPfind by OldTimer

 

the pop-ups are pretty randome. alot of the time its "search inquiry" or other times it was named some random 4 digit number or so like "1622" and others it had no name at all. i ran WinPFind like asked and have the log attached now

 

Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

Delete each folder in bold!

C:\Program Files\MyWay
C:\Program Files\Alnet
C:\Program Files\Kazaa
C:\Program Files\NewDotNet
C:\Documents and Settings\All Users\Application Data\flag rect beep name
C:\Documents and Settings\CHRISP~1\Application Data\PLAYHE~1

Now manually locate and delete each file below...

C:\WINDOWS\p5J0f

C:\WINDOWS\system32\bdeadmin.cpl

C:\Documents and Settings\Chris Purcell\Application Data\1.bmp

C:\Documents and Settings\Chris Purcell\Application Data\2.bmp

Next, copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot back to normal mode and let me know how things are running.

 

ok ran through all that, couldent find
C:\Program Files\MyWay
C:\Program Files\Alnet
C:\Program Files\Kazaa
C:\Program Files\NewDotNet
C:\Documents and Settings\CHRISP~1\Application Data\PLAYHE~1

but i found and deleted the rest and created the registrys. before i posted i went to a site that i know doesnet have pop-ups and got just to log in part and got pop-up names "Advertisment"

 

Did you run the registry patch from my last post?

How have things been running so far?

 

yes i did the fix.reg like asked to do previously, just got a few more pop ups right b4 coming back to MG.com, 3 that i remember are winfixer.com, images.trafficmp.com < says advertisment on header of the browser page & also partypoker.net pop-ups other than that. seams faster. Now i am ready for more tasks....lol

 

Let's start with a fresh HJT log and a fresh WinPFind log.

 

here is the new winP log & HJT log, just let me know what else you wanna see

 

Download AproposFix© by Swandog46

Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

When the tool is finished, reboot back into normal mode, post the entire contents of the log.txt file that has been created in the aproposfix folder.

 

ok, i saved aproposfix to desktop, went in safe mode, ran program, (ARGGG) it said it was either corrupted or missing something. i gonna try to unistall & try again b4 i get back to posting results

 

ok, back with logs for aproposfix, **** i got the log, & didnt realize it saved in the folder, forgot to copy & paste into notepad, so as rebooted, i went back into safemode, & did a 2nd log, i will post both, i will name the 2nd file aproposfix2.txt so u know which is which. ** i changed the log.txt to aproposfix.txt so u know what logs i uploading

 

OKay, that's what I was thinking, reboot again and reboot back to safe mode. Run the AproposFix once more and attach the log, also let me know how things are running.

 

ok, ran aproposfix again, BUT it says i already submited it to this thread, ( so i changed name & says same thing, hope it doesnt put it in because i changed name a few times & it would probably be 7 uploaded files ) HOWEVER i woke up this morning, & counterspy ran, & got 28 i think it was spy ware, or it was mal ware, & since then, I HAVENT GOT A POP-UP, ( knock on wood ) ty 4 your help, ( if this is my last post ) i really appreciate tech's like you all, & i referred a bunch of people so far!! cos i am haappy with the service & help

 

If you can't attach it, paste it inline and I will convert it for you.

 

things are still looking good ( knocking on wood ) no Pop-ups , ok here is the aproposfix # 3

A subdirectory or file backups already exists.

---------- C07FT5Y.TXT

---------- C5IL8AXMIFPM.TXT
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"SU"="http://au.contextplus.net/services/AUServer"
The system cannot find the file specified.
Could Not Find C:\Documents and Settings\Chris Purcell\Desktop\reports\aproposfi
x\aprps.txt
C:\Program Files\Pogreal\sdbaemon.exe
C:\Program Files\Pogreal\vssdplay.exe
C:\Program Files\Pogreal\WinGenerics.dll
3 file(s) copied.

 

Let's run another scan to be sure nothing else is hiding around...

Please download Blacklight to its own folder...

F-Secure Blacklight

After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post along with a fresh HJT log.

 

ok, did have a pair of pop-ups but i think i clicked on stupid advertisemnt from a website... other than that, it been pop-up free, I have the blacklight log for you, blacklight found 0 items hope thats a good thing for some reason, now i CANT post HJT it says already in thread, is this a common problem, ?? how do i go around this? i will just post it here in message body,

Incomplete log removed!

 

Run HJT again and save a new log, call it hjtlogfinal and see if you can attach it now.

 

ok, still running pretty good, But 2 instances my virus protecter caught progreal.....is this something to ignore? i did click, let me continue what i was doing, & it was both times i was running counterspy. here is my newest HJT

 

Never heard of "progreal", can you find out exactly what was detected?

 

sry, the name was pogreal, NOT progreal, i looked it up in searching my puter, & it found a folder, with these few programs, .....folder named Cache, WinGenerics.dll, vssdplay.exe, & sdbaemon.exe, hope that helps you

 

Let's run this and see where we stand..

Download AproposFix© by Swandog46

Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a chice of where to unzip/install the program to). This is called the Destination folder in the window that popsup. So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to. It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix. Follow the prompts.

When the tool is finished, reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file that has been created in the aproposfix folder.

 

ok, Back from work, UGG LOL , back to the POGREAL thing, i had Mcafee virus scan do its thing, & this pop-uped, i was mis-staken earlier when i said Counterspy, it was Mcafee. C:\program files\pogreal\cache\00006737_43e3f494_0000f424 .....is a potentially unwanted program, also attacted is new HJT & aproposfix from 430 PM EST 3/4/06

 

Reboot into Safe Mode, manually locate the below folder and delete if found:

C:\Program Files\Pogreal

After you complete the above, run the Apropos FIX once more and attach the log to your next post.

 

ok, deleted pogreal folder, ran Aproposfix again, log & new HJT log also enclosed.

 

That log looks a little better, looks as if we're getting somewhere now. Just to confirm your are clean from this baddie, reboot to Safe Mode and run the AproposFIX once more and attach the log to your next post.