Uncle, maybe I need some extra help.

My computer is running quite well however I have popups coming up in IE the opens its own window and lately they have been exclusively for winXXXX (i.e. winantispyware, winpopupblocker etc.) I just have to close the window and continue. They seem to come up mostly when I go onto any site that involves spyware software.

I first tried Norton antivirus and it cleaned up several things but not these popups. I also tried Adaware SE, Giant Spyware and Spybot but to no avail.
I ran a couple of Hijack this loga and tried to fix a line with atlevents but it continues to comeback time after time.

Next I found your forums and ran throught the spyware basics and proceeded step by step in safe mode (with windows restore off) with the online scans and recieved no virus or spyware detections. I then cleaned out my files with Ccleaner.

I then ran the adaware scan with the additional V2X (can't remember its exact name) update and it found 5 entries in the reg keys and reg values with atlevents. I fixed these. Also ran Spybot S&D and it found a couple more things and I fixed those as well.

I completed the instructions and ran the rest of the software recommended and they had no more problems. I also got rid of the Microsoft Java as recommended in the options and installed the other one that was recommended. I did run a Hijack this log and again tried to fix the entry with the atlevents. Finally I rebooted and openeded up downloads.com and up popped the winantispyware popup.

From reading some other posts it sounds like I might have the stopguard but I am not sure. Any suggestions would help greatly. Thanks for reading and I hope this isn't too much info on a post.

 

lets look at your log file
Hijack This Tutorial And How To Post Your Log File

 

Kodo,
I am at work right now but I will post my Hijack log tonite after I get home.

 

Hi Blainiac,

I would also suggest taking a look at the threads in this link for more info on the removal process:

StopGuard or WinFirewall Problems?

Best
PP

 

Alright,
Here is my log file.
I booted in safe mode and ran the adaware and got these:
5 entries for Virtumondo (2 Reg keys, 2 Reg Values all with ATLevents.ATLevents and a
file: c:\windows\system32\bkinst.exe)

Then I ran Spybot and got 4 entries for ATLevents and also 5 entries for DSO Expoit which show up as registry changes.

I fixed and immunized all these with both programs and then ran the Hijack This and produced my log.

I need to get some sleep so I will look to a reply tomorrow. Thanks for the help.

 

Hi Blainiac,

You can get the fix for Spybot’s DSO Exploit bug HERE: Spybot - Search and Destroy DSO Exploit Fix

This is my generic removal procedure for your StopGuard-related infection:
Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please follow the instructions carefully.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST:
Look in C: > WINDOWS > PREFETCH & Delete bkinst.exe and imgnut.exe ( or any imgnut or tungmi entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NEXT:
Run HijackThis and Check the Boxes for the Following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites

O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - C:\DOCUME~1\Blaine.RUT\LOCALS~1\Temp\tungmi.dat

O4 - HKLM\..\Run: [*odbcdns] C:\WINDOWS\system\odbcdns.exe

O4 - HKLM\..\Run: [*imgnut] C:\WINDOWS\Config\imgnut.exe

O4 - HKLM\..\RunOnce: [*imgnut] C:\WINDOWS\Config\imgnut.exe rerun

O4 - HKCU\..\RunOnce: [*WinLogon] C:\DOCUME~1\Blaine.RUT\LOCALS~1\Temp\bkinst.exe ren time:1100753529

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Config\imgnut.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they remain:

C:\WINDOWS\system\odbcdns.exe
C:\WINDOWS\Config\imgnut.exe
C:\DOCUME~1\Blaine.RUT\LOCALS~1\Temp\tungmi.dat
C:\DOCUME~1\Blaine.RUT\LOCALS~1\Temp\bkinst.exe

THEN:
Use Windows Explorer to run a search of your computer for:
bkinst
tungmi
odbcdns
imgnut

and DELETE the related files. (We especially want to get rid of imgnut.ini & imgnut.dat & imgnut.bak AND tungmi.ini & tungmi.dat & tungmi.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions. I'll try to check back when I get a chance.

Best luck
PP

 

PhilliePhan,
I believe it is safe to say that you have made me a FREE MAN!!!! I am no longer shackled by stopguard. I am including a new log, and I have also fixed the 2 O9's with windows messenger after I saved the log. I'll experiment with IE more but I have a very good feeling. I will also take some of the precautions to protect myself from Malware. Thanks, I mean it really. THANK YOU!!!!!

PS Very good and concise instructions. You guys should be very proud of the work you do it is very appreciated.

 

You are very welcome!! We are happy to help

Your HJT log looks good. Glad my generic procedure worked - Others are having trouble with it and I can't figure out why.

Definitely take a look at Chaslang's suggestions for safeguarding your machine against malware!

Happy and Safe Computing
PP