Unremovable Pop Ups!!!!!!!!

Last weekend I was on a karioke site with my son and hit the back button to go back to google..... and it happened. Non stop adware pop-ups. I had norton running on my machine but not the prevention I needed.

Since last weekend I have made a lot of changes but I still can't get it to stop! I have down loaded and installed Firefox, SpyBot, Microsoft AntiSpyware, CounterSpy, and read and fully executed "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal". Nothing has helped!!!!!!!

I have downloaded Hijack This and am wondering if someone can assist me interpreting the report?

Any other ideas?

The pop ups still hitting me are from the following three sites:
ads.deskwizz.com
banners.searchingbooth.com
looking4links.com

 

First:

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

Second:

Download the following tool.

• L2MeFix Tool

• Run the L2MeFix Tool

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Attach this log!

NOTE: Please do not run any other options or files in the l2mfix Folder!

 

Thanks for the reply.

I have attached the HJT log. I was unable to get L2Mfix to run. Please advise.

 

Why was you not able? What happened?

Please update to Hijack This 1.99.1 and attach a new log using the new version.

 

I downloaded and followed instructions. when I double clicked on the .bat file nothing happened. I waited a couple of minutes and then write clicked on it and hit open. Again nothing happened.

 

Download the following tool:

• Generic Detection Tool - NT/2000/XP

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.


Also, Please update to Hijack This 1.99.1 and attach a new log using the new version.

 

I have attached a new HJT log file from the newer version. I also downloaded "Find It NT-2K-XP" and followed the directions. The same reults as last time - the .bat file would not run. I allowed at least ten minutes for the .batfile to do its thing.

Any other suggestions?

 

Okay! Let me check your HJT log and we will go from there.

I will go ahead and start you a fix but before you begin with it please relocate your HJT.

C:\Documents and Settings\Jim & Sue\Desktop\Spy 3\HijackThis.exe

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

Thanks!

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

optlhfmh.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)

O2 - BHO: (no name) - {D87BDBE1-A340-4E55-91BB-5E0B7C8EEB73} - (no file)

O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [bsuwdk] c:\windows\system32\bsuwdk.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.jud2.state.ct.us/webforms/Codebase/FormCtl.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab
O16 - DPF: {2D3502EE-9D6D-11D1-86CC-080009B6ACE6} (Adobe Barcode Control) - http://www.jud2.state.ct.us/webforms/codebase/jfbarcode.cab
O16 - DPF: {32E28703-3325-11D4-93DD-0004AC152B66} (HlbfsMonthlyRevenue.ctlHlbfsMonthlyRev) - http://eis.hilton.com/cis/hlbfs/Revenue/HlbfsMonthlyRevenue.CAB
O16 - DPF: {452C5175-B356-11D6-93DE-0004AC152B66} (HlbfsFoodRevenue.ctlHlbfsFoodRev) - http://eis.hilton.com/cis/hlbfs/Revenue/HlbfsFoodRevenue.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4BD66342-FB13-11D6-93DE-0004AC152B66} (HlbfsQuickEntry.ctlHlbfsQuickEntry) - http://eis.hilton.com/cis/hlbfs/Expense/HlbfsQuickEntry.CAB
O16 - DPF: {4EDE1BD3-6999-11D6-93DE-0004AC152B66} (HlbfsDailyExpense.ctlHlbfsDailyExpense) - http://eis.hilton.com/cis/hlbfs/Expense/HlbfsDailyExpense.CAB
O16 - DPF: {51BC61E6-45F2-11D5-93DD-0004AC152B66} (HLBFSLaborByCovers.ctlHlbfsCoverLabor) - http://eis.hilton.com/cis/hlbfs/Labor/HlbfsLaborByCovers.CAB
O16 - DPF: {5C8ACBF0-FE91-11D4-93DD-0004AC152B66} (ReportViewerCtl.ctlReportViewer) - http://eis.hilton.com/cis/ReportViewer/ReportViewer.CAB
O16 - DPF: {5D5971B4-64EC-11D5-93DD-0004AC152B66} (HlbfsProdLabor.ctlHlbfsProdLabor) - http://eis.hilton.com/cis/hlbfs/Labor/HlbfsProductivityLabor.CAB
O16 - DPF: {65F0B146-F8FF-41D6-8349-DFC03B285EC9} (HlbfsReporting.ctlReporting) - http://eis.hilton.com/cis/hlbfs/Reports/HlbfsReporting.CAB
O16 - DPF: {DD7074EB-1436-11D3-BBF3-000086195AD6} (HlbfsTaskList.ctlHlbfsTaskList) - http://eis.hilton.com/cis/hlbfs/HlbfsTaskList.CAB
O16 - DPF: {E9519EA5-BB7F-11D7-93DE-0004AC152B66} (HlbfsOtherRevExp.ctlHlbfsOre) - http://eis.hilton.com/cis/hlbfs/Expense/HlbfsOtherRevExp.CAB
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.jud2.state.ct.us/webforms/codebase/fontinstaller.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\bsuwdk.exe

C:\WINDOWS\System\optlhfmh.exe

C:\Documents and Settings\All Users\Application Data\msw ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Now:
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Followed all instructions with no problems - then took a 20 minute break once I was done. I left Firefox open while I was upstairs. I came back dow and there were 20 IE pop ups. They were from the same sites I mentioned earlier:

banners.searchingbooth.com
budsinc.com
ads.deskwizz.com

I have attached two HJT files. jimmiet 2 is immediately afetr I finished your instructions. And jimmiet 3 is after I closed the 20 pop ups.

???

 

Are you familiar with CounterSpy?

Is System Restore disabled?

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system\optlhfmh.exe


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

Also, please do the following as well.

Please download "StartDreck", from here: http://www.niksoft.at/_data/startdreck.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please attach the log in this thread.

 

CounterSpy was recommended to me this weekend by WTIC's (Hartford Talk Radio) "Computer Talk with TAB". The Geeks (Eric and TJ) said it is one of the best programs they have seen in a while. It is presently running on my PC.

Here are the two additional logs.

Thanks.

 

Those logs look clean to me! Lets try the below:

Download and install Microsoft® Windows AntiSpyware, during the install make sure you get any updates.

Download and install Ad-Aware SE, after the install "Check for Updates" and get any updates available. Run a Full System Scan and remove all found infections.

Note: The lastest reference file should be SE1R33

 

WOW! I have been on line for an hour and a half using three different browsers - not one problem!!!!! What do you reccommend from here for prevention? I am currently running CounterSpy, MS AntiSpyware, and Norton.

THANKS!!!! What a long hard trip its been!!!

 

Great Job!

From here I would recommend your seeing this article on How to Protect yourself from malware!

Browse Safely!

 

You guys are awesome! Not a pop-up in 2 days. Thanks for all the help - I really appreciate it!

I was singing your praises at work today! Thanks and talk to you soon!

 

Your Welcome!

Browse Safely!