Unwanted popups

I am not a professional computer expert, but am reaonably proficient but new to this forum. My system has been occasionally causing unsolicited popups even when doing work not web related. I have a DSL connecnion, use XP Pro, Have read the HJT Tutorial and done all the requested cleaning of my system without success. I have run Hyjack This and created a log. I don't see anything in the log that I can identify as the culprit. May I post the log for comments?

JGE

 

Please do.

 

Here is my hijack this log

JGE

 

please place HiJackThis into its' own directory (something like C:\HJT) and run it again. Then post another log.

Thank you

 

The log is now in C\HJT

JGE

 

the log doesn't need to be in C:\HTJ.. the HiJackThis.exe needs to be there... then run the .exe again and THEN let me see your log

 

I couldn't attach the log the second time. The system says it has already been sent in a previous thread. I have it in the C:\HJT folder now. Should I copy it directly to a message?

JGE

 

I"ve removed your old log here.. go ahead and upload it again.

 

As you requested, I copied the zip file to a new folder C;\HJT, and ran Hijack from there. Here is the log.

JGE

 

Hi jevans,

Your log shows HijackThis running from a TEMP Folder. You need to move it to a safe place - C:\Program Files\HijackThis I know you are probably tired and frustrated with this. Hang in there The reason it needs to be in a safe folder is because HJT saves backups - That way, if a mistake is made by you or MGs, you can restore the mistakes.

That said, the couple of badguys stand out clearly in your log, so it isn't likely you or Kodo will make a mistake. Still, it's better to be safe than sorry.

I think there might be a Peper trojan - Kodo will know better than I if this is the case.

Cheers,

PP

 

I deleted hijack this and downloaded it again to C:\HJT and ran it from that folder and i still get the message that it is running from a temp file. I did a search for it and find it in C:\HJT\Hijack this.zip, C:\recyclers,and in the Norton protected recycle bin. I did run it fron HJT. What am I doing wrong?

JGE

 

Hi Jevans,

For HJT:

Click START > My Computer > Local Disk C: > Program Files
Now, Rightclick in a blank space – select New > Folder and name it HijackThis.
Now Extract HijackThis to that folder and run it.

Hang in there! It looks like you've got a Peper trojan and there is a specific removal process for this. This is your Peper:

O4 - HKLM\..\Run: [34HYCEA2WBS6S6] C:\WINNT\System32\Zvcyl.exe

C:\WINNT\System32\Xchb.exe
C:\WINNT\System32\Yfk8CM67.exe


This should go as well:
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)

DO NOT FIX ANYTHING UNTIL CHASLANG OR KODO TAKE A LOOK!

Good luck,

PP

 

Thanks PhilliPhan and Kodo for your responses. I opened >Start>my computer>Program Files and created a new file called Hyjack This. I downloaded the Hyjack This zip file and opened it and arrived at Hyjack This.exe. When I open that file I get the message that Hyjack This appears to be opening from a Temp folder, to close the file and copy it to another folder and run it. Unfortunately I am attempting to run it from the program file, not the temp file. (I previously created the c:\HJT folder and downloaded the file there and attempted to run it and received the same message. I ignored that message at that time and ran it and posted that log. I need to know how to be sure to open the executable file from the Program File without the warning message. The system seems start Hijack This from the temp file, even though I am trying to open it from the program file. How do I proceed? I'm going to sleep on it and come back tomorrow.

JGE

 

i think that you are not 'unzipping' the program into its own folder. when you save the .zip file into its own folder you must open it and (if using xp unzipper) select 'extract all files'.

i could be wrong though, just a thought.

 

Hi JGE,

Follow the instructions I gave you a few posts back. Once you set up the new folder, go to your ZIP file of HJT. Rightclick the ZIP - select Extract All... - click NEXT - then BROWSE to your newly created HJT folder and click NEXT to extract HJT to that folder.

The funny - if I may use that word - thing is, this whole process has been harder than the actual fix may be! Other than the Peper, your log is pretty clean.
You should probably go ahead and download this tool as well:

http://downloads.subratam.org/PeperFix.exe

Hang in there

PP

 

Thanks PhilliePhan,

After a good night's sleep I read your latest post and followed your directions carefully and now have Hijack This running in a folder that isn't the temp folder. (All I had to do was right click and extract rather than left clicking). I also downloaded PepperFix.exe to the same folder. I have one question though. Do I turn off system restore when I clean the system? I believe I'm ready to remove the virus. What is the proper procedure? Here is my Hijack This log again.

JGE

 

reboot to safe mode.

make sure the following process is not loaded by viewing the process list
C:\WINNT\System32\Xchb.exe

Run the pepperfix.exe program you have.
if it doesn't remove it, then try one of the alternatives listed in our tutorial near the bottom.

then run HJT and remove the following.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)


then post another log.

 

I rebooted in safe mode, Checked the process list and ran Pepperfix.exe, then I ran HJT and fixed R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = and O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)

I am attaching a copy of the current HJT log

JGE

 

looks good!

 

Kodo and PhilliePhan,

You have my sincere thanks for your patient assistance to me with this problem. I've been trying to solve this since before service pak 2. I was reluctant to bother you because of my limited computer skills, so it was especially nice to note your patience and concise instructions. I'm sorry this took so long.

Thanks again

JGE

 

Hi JGE,

I think I can speak for Kodo and the other posters when I say You're Welcome! We are always happy to help! We understand firsthand the frustrations brought about by malware.

While you are here, I suggest you read the posts in the Frequently Asked Questions section and check out some of the FREE anti-spyware tools available for download here. Any questions about them can be addressed in the Software Forum.

Happy Surfing

PP

 

yup! what he said

 

damnit!damnit!damnit!damnit!damnit!damnit!damnit!

 

yes it does

 

Hi Guys,

I'll take my share of the blame as well. I didn't bother to follow behind Kodo on the last log. Hope JGE posts back so that we can correct the mistake!

Good thing Chas took a look!

PP

 

Checked - He did not enable email. Says to go through an administrator.

I'm still ticked at myself for not bothering to check the log.

PP

 

I came back and read your messages and noticed the problem. I ran pepperfix and memorywatcher and ran another Hijack This log Which I will attach. O4 - HKLM\..\Run: [34HYCEA2WBS6S6] C:\WINNT\System32\UgjOg.exe was in the log, and it doesn't appear to be now. I believe that problem is now also solved. Let me know if you find anything else.

Thanks again,
JGE

 

Hi JGE!

Darn happy you checked back!
At first glance, the log looks OK. I may PM Chaslang - if he doesn't see this - to doublecheck as well, so check back again. Also, it might be a good idea for you to flush your System Restore (turn it off and back on). I remember you had a question about that.

I apologize for my sloppy effort the first time around. I'm happy to have the chance to correct the error! (Kodo, too, I imagine)

Best,

PP

 

Chas, Kodo:

Other than this-
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

and this harmless looking fellow-
O4 - HKLM\..\Run: [POINTER] C:\Documents and Settings\Jim Evans\My Documents\Old files\old c2\Program Files\Microsoft Hardware\Mouse\point32.exe

do you guys see anything I missed?

PP

 

Are you saying I should use Hyjack this to fix
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
and
O4 - HKLM\..\Run: [POINTER] C:\Documents and Settings\Jim Evans\My Documents\Old files\old c2\Program Files\Microsoft Hardware\Mouse\point32.exe ?

I turned system restore off and back on, so that should clear the junk out of Syastem restore

Thanks JGE

 

Hi JGE,

This is minor, but should be fixed:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

I figured you might recognize the other one. Do you?
It is probably a good idea to hold off on the fixing until Chaslang weighs in. (Likely later tonight.)

PP

 

The second item points my Old C file that is archived info saved from an old system of mine when I had a hard drive failure. When I purchased my new computer I was able to save nearly all the old data and it's in "Old C:". I don't know if it needs to be there.

I'll hold up on fixing till this evening.

Thanks again

JGE

PS: Maybe I'll learn to spell Hijack correctly if I do it often enough.

 

LOL! The funny thing is, as chaslang noted a number of posts back, when you are dealing with malware you need to spell everything precisely and correctly. Malware purveyors intentionally give their files names that are similar to legitimate processes to try to hide them.
Also, the names of anti-spyware tools need to be specific because there are so many Rogue or fake ones out there that it can be confusing.

Check back later for Chaslang's verdict.

Best,

PP

 

Chaslang and Philliephan,
I'm using a Microsoft Intillimouse optical mouse. If I fix both
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
and
O4 - HKLM\..\Run: [POINTER] C:\Documents and Settings\Jim Evans\My Documents\Old files\old c2\Program Files\Microsoft Hardware\Mouse\point32.exe ?
I understand that I can reinstall the mouse if necessary. Should I go ahead and fix both these items now?


Thanks,

Jge

 

I don't see why not.

I'll check back later (VP Debate & Baseball Playoffs to watch) You are in excellent hands W/ Chas.

Cheers,

PP

 

I fixed the two items in question and they no longer exist in the log.

Thanks again for all your help.

JGE