Zipzappromos pop-ups

Look in Add/Remove programs for the below and uninstall if found:
instant access
EGroup Adware

If you still have problems, follow the steps below exactly:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

The two R1/R0 lines are upto you but many people remove them because of the myway reference.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:

c:\ied_s7m.cab
c:\x.cab

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Delete the desktop.ini file.

When exactly do you get "security-updater.com" popups? I don't know what you mean by "when you were coming on". Do you mean when you ran your browser?


Your log is clean. What version of MS Antispyware do you have and also what version are the spyware definitions.

Let's Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Tell me where things stand right now.

 

MS Antispyware is up to version 1.0.614 and the definitions are 5731. You need to get updated.


Download this virus checker tool from Microworld Antivirus Toolkit Utility

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4. Leave the all default settings accept change it to Scan All Files instead of just Program Files. Then click SCAN and when it is completed, anything found will be displayed in the lower pane.
5. Click the View Log button which will bring up the log in a Notepad window. Save the log and then upload it here (as an attachment) when you come back. Note this mwav.log file may be too large to upload as it is. You may have to compress it into a ZIP file using a program like WinZip and then upload the compressed file.

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We just want to use it to try to identify anything that is bad.

 

Look in Add/Remove Programs for Instant Access and uninstall if found.

Let me know if found or not.

Also look in c:\windows\system32 for the below (do not do anything with them....just look for them).
C:\WINDOWS\System32\pmyyil.exe
c:\windows\system32\yrpbkzdev.exe
C:\WINDOWS\System32\EGDACCESS_1057.dll". Action Taken: No Action Taken.
Mon Jul 04 09:12:03 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object C:\WINDOWS\system32\EGDACCESS_1058.dll.
C:\WINDOWS\system32\EGDACCESS_1059.dll
C:\WINDOWS\system32\EGDACCESS_1060.dll
C:\WINDOWS\System32\EGDACCESS_1057.dll
C:\WINDOWS\system32\msclock32.dll

 

Please download this trial version of ewido security suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, after rebooting continue with the below steps.

Open up Ewido and do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • 
    [*]Binder
    [*]Crypter
    [*]Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. And tell me if you are still having any problems.

 

But msclock32.dll was one of the items I specifically asked you to look for. So I'm confused by your message which states you did not find any of the items listed but then you say you don't recall if it was there. Please look again right now. Also make sure viewing of hidden and system files is enabled first.


Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixdialer.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixdialer.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Also search you PC for the following file: WINFRW.exe
Let me know if found and where.

You must configure search properly first as below.

Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter WINFRW.exe
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

Then also look in Add/Remove programs for Security Iguard and uninstall if found. Let me know what you find.

Also are your sure about the name of the popup? Is it security-updater.com or securityupdater.com

 

Sounds like the msclock.dll is going to keep coming back at reboot. Let me know.

Try the below for you security-updater problem. Let me know if it helps.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file addRZ.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the addRZ.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

 

Please download: Find It NT/2000/XP

Extract all the files from the Find It toolinto its own folder.
Then run find.bat. Post the log it creates back here as an attachment. Make sure you wait long enough for it to complete. It should pop up a notepad file when finished.

Also in Internet Explorer click on Tools and select Manage Browser Addons. Look to see if there is anything strange in there.

And do one more thing:

Generate a StartupList log using HijackThis.
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

 

Download RunKeys and unzip it to your desktop. Then doubleclick to run it. It will generate a text file. Attach the text file to your next message.

Now download SilentRunners and save it to your desktop. Doubleclick it to run it. You may have to disable script blocking if your antivirus interferes. It will create a text file on your desktop. Also attach this text file into your next message.

Also attach a new HJT log (this will require a second message).

After attaching these logs, do not reboot or power down your PC.

 

Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it remove.reg. Double click on the remove.reg file and grant it permission to add the registry entries.

Reboot into safe mode and run Windows Explorer to delete:

c:\windows\system32\yrpbkzdev.exe

delete msclock32.dll if found too.

Also look for the below file and tell me if you find it. Also right click on it and get Properties info. Click the Version tab (if it has one) and get information on company etc.
c:\windows\system32\pmyyil.exe

Then reboot in normal mode and tell me your status.
Post a new log from RunKeys.

 

According to the Runkeys log, the below is still present in your regisrty:

"yrpbkzdev"="c:\\windows\\system32\\yrpbkzdev.exe -start"

Are you sure the registry fix merged in? And take a look to see if the file came back.

Yes, msplock32.dll must be deleted too. We may need to use Pocket Killbox to delete these upon reboot.

 

Delete those .dat files too. The Runkey's log is now okay.