Tech Support Forum - View Single Post - Pop-ups won't go away

MicroBell · 05-30-2005, 03:20 AM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

Download and install CleanUp http://cleanup.stevengould.org/

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following if listed.

WildTangent
WinTools
ISTsvc/ISTBar
Media Access
Internet Optimizer

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

c:\windows\system32\drivers\disdn\spoolsv.exe
c:\windows\system32\cpuqkck.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\httnevkj.exe
C:\Program Files\Mincig\Ezkupek.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Internet Optimizer\actalert.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [strmsnnrs] msnmcgrs.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [tngfbC] C:\WINDOWS\httnevkj.exe
O4 - HKLM\..\Run: [Huiwkh] C:\Program Files\Mincig\Ezkupek.exe
O4 - HKLM\..\Run: [cvpkjk] c:\windows\system32\cpuqkck.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoft.exe
O4 - HKLM\..\RunServices: [strmsnnrs] msnmcgrs.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [strmsnnrs] msnmcgrs.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d...ler_VENDARE.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmaster.com/content...ick/TMSetup.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spys...rCabInstall.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Task Monitor (Taskmon) - Unknown owner - c:\windows\system\svchost.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

c:\windows\system32\drivers\disdn\spoolsv.exe
c:\windows\system32\cpuqkck.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\httnevkj.exe
C:\Program Files\Mincig\Ezkupek.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\Bolger.dll
C:\WINDOWS\wsem303.dll
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\farmmext.exe
C:\WINDOWS\svcproc.exe
c:\windows\system\svchost.exe
Microsoft.exe
msnmcgrs.exe <--locate and delete these 2.

Be careful and delete ONLY what I listed..and in ONLY those directorys. Some of these files are named the same as legit windows files.

Run the cleanup utility and reboot/logoff when prompted.

Reboot and proceed with the next step...

Download ewido security suite from here… http://www.ewido.net/en/download/

Update it’s database from here.. http://www.ewido.net/en/download/updates/
Run a scan and let it clean the PC.

Download FindIt's.zip to your desktop: http://forums.net-integration.net/in...post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.

I also need you to check the properties of this file.....
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxboreg.exe <-- I need to know if thats a Lexmark printer file?

05-30-2005, 03:20 AM	#8 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. Download and install CleanUp http://cleanup.stevengould.org/ If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following if listed. WildTangent WinTools ISTsvc/ISTBar Media Access Internet Optimizer Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) c:\windows\system32\drivers\disdn\spoolsv.exe c:\windows\system32\cpuqkck.exe C:\Program Files\Common Files\WinTools\WToolsS.exe C:\Program Files\Common Files\WinTools\WToolsA.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe C:\Program Files\Media Access\MediaAccK.exe C:\Program Files\ISTsvc\istsvc.exe C:\WINDOWS\httnevkj.exe C:\Program Files\Mincig\Ezkupek.exe C:\Program Files\Media Access\MediaAccess.exe C:\Program Files\Internet Optimizer\actalert.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing) O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing) O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll" O4 - HKLM\..\Run: [strmsnnrs] msnmcgrs.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [tngfbC] C:\WINDOWS\httnevkj.exe O4 - HKLM\..\Run: [Huiwkh] C:\Program Files\Mincig\Ezkupek.exe O4 - HKLM\..\Run: [cvpkjk] c:\windows\system32\cpuqkck.exe O4 - HKLM\..\RunServices: [Microsoft Update] Microsoft.exe O4 - HKLM\..\RunServices: [strmsnnrs] msnmcgrs.exe O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot O4 - HKCU\..\Run: [strmsnnrs] msnmcgrs.exe O4 - Startup: PowerReg Scheduler.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O15 - Trusted Zone: http://ny.contentmatch.net (HKLM) O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d...ler_VENDARE.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab? O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmaster.com/content...ick/TMSetup.cab O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spys...rCabInstall.cab O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: Task Monitor (Taskmon) - Unknown owner - c:\windows\system\svchost.exe O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) c:\windows\system32\drivers\disdn\spoolsv.exe c:\windows\system32\cpuqkck.exe C:\Program Files\Common Files\WinTools\WToolsS.exe C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe C:\Program Files\Media Access\MediaAccK.exe C:\Program Files\ISTsvc\istsvc.exe C:\WINDOWS\httnevkj.exe C:\Program Files\Mincig\Ezkupek.exe C:\Program Files\Internet Optimizer\actalert.exe C:\WINDOWS\systb.dll C:\WINDOWS\Bolger.dll C:\WINDOWS\wsem303.dll C:\WINDOWS\System32\msbe.dll C:\WINDOWS\farmmext.exe C:\WINDOWS\svcproc.exe c:\windows\system\svchost.exe Microsoft.exe msnmcgrs.exe <--locate and delete these 2. Be careful and delete ONLY what I listed..and in ONLY those directorys. Some of these files are named the same as legit windows files. Run the cleanup utility and reboot/logoff when prompted. Reboot and proceed with the next step... Download ewido security suite from here… http://www.ewido.net/en/download/ Update it’s database from here.. http://www.ewido.net/en/download/updates/ Run a scan and let it clean the PC. Download FindIt's.zip to your desktop: http://forums.net-integration.net/in...post&id=142443 1. Unzip/extract the files inside to a folder on your desktop. 2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ... 3. Then post the results here please, along with the new HijackThis log. I also need you to check the properties of this file..... C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxboreg.exe <-- I need to know if thats a Lexmark printer file? __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 05-30-2005 at 03:24 AM.