Tech Support Forum - View Single Post - Multiple pop-ups on multiple user system

tetonbob · 01-12-2006, 08:37 PM

This is something of a mess, and will take some time to clean. Since this is a multi-user system, be sure each log is from the same user, and the fix is run on only that user for now. We'll want to get logs from all users before we're done. *sigh*

What exact error message did AVG give, please?

You could try Avast! I use it, and like it.

Please print out these instructions.

Download Brute Force Uninstaller.
Unzip it to it’s own folder (c:BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:bfuEGDACCESS.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Please download dsrfix.zip from Atribune and save it to your desktop.

Double-Click on dsrfix.zip and extract it to your desktop.
This will create a new folder on your desktop named dsrfix.
Do Not open that folder yet.

I have attached a file to this post - regdel.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

Now reboot your system into safe mode.

Now open the folder dsrfix on your desktop.

Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if found:

The Best Offers
kagtolwq
kjecuy
knights_shiryu1
lyzfmgqu
MailSkinner
Viewpoint Media Player
WebSearch Tools
Zango Toolbar
zbvugea

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe

Delete these files/folders if they exist:

C:\Program Files\Toolbar
C:\Program Files\Common Files\WinTools
C:\Program Files\Best Offers
C:\Program Files\Viewpoint
C:\Program Files\Zango
C:\WINDOWS\SYSTEM32\PSHWR.EXE
C:\Program Files\MailSkinner\
C:\WINDOWS\SYSTEM32\InstallerV3.exe
C:\WINDOWS\SYSTEM32\kagtolwq_nav.dat
C:\WINDOWS\kwv2.dat
C:\WINDOWS\pcconfig.dat
C:\PROGRAM FILES\dialers
c:\documents and settings\mommy\favorites\1111
C:\Documents and Settings\Mommy\Application Data\Starware
C:\WINDOWS\STWSI
C:\Program Files\FCHelp
C:\Program Files\knights_shiryu1\insthlp.dat
C:\Program Files\TBONAS\TBONcomp.dll
C:\WINDOWS\SYSTEM32\InstallerV3.exe
C:\WINDOWS\SYSTEM32\InstallerV4.exe
C:\WINDOWS\SYSTEM32\kagtolwq.exe
C:\WINDOWS\SYSTEM32\lanbruns.exe
C:\WINDOWS\SYSTEM32\lyzfmgqu.exe
C:\WINDOWS\SYSTEM32\pshwr.exe
C:\WINDOWS\SYSTEM32\vuwaqtf.exe
C:\WINDOWS\SYSTEM32\zbvugea.exe

Reboot into normal mode now.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Follow the prompts to install the ActiveX controls
It will say "Loading TrendMicro definitions".
Click "Start Scan"

After it's done scanning, click "Scan Results"

Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

If it offers a way to save results, please do, and post them here.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

01-12-2006, 08:37 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,182 OS: 2000 Pro; XP Pro; XP Home	This is something of a mess, and will take some time to clean. Since this is a multi-user system, be sure each log is from the same user, and the fix is run on only that user for now. We'll want to get logs from all users before we're done. sigh What exact error message did AVG give, please? You could try Avast! I use it, and like it. Please print out these instructions. Download Brute Force Uninstaller. Unzip it to it’s own folder (c:BFU) RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU) Start the Brute Force Uninstaller by doubleclicking BFU.exe In the scriptline to execute copy and paste c:bfuEGDACCESS.bfu Press execute and let it do it’s job. Wait for the complete script execution box to popup and press OK. Press exit to terminate the BFU program. Please download dsrfix.zip from Atribune and save it to your desktop. Double-Click on dsrfix.zip and extract it to your desktop. This will create a new folder on your desktop named dsrfix. Do Not open that folder yet. I have attached a file to this post - regdel.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. Now reboot your system into safe mode. Now open the folder dsrfix on your desktop. Double-Click on dsrfix.bat A window will pop up briefly then close, this is normal. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if found: The Best Offers kagtolwq kjecuy knights_shiryu1 lyzfmgqu MailSkinner Viewpoint Media Player WebSearch Tools Zango Toolbar zbvugea Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe Delete these files/folders if they exist: C:\Program Files\Toolbar C:\Program Files\Common Files\WinTools C:\Program Files\Best Offers C:\Program Files\Viewpoint C:\Program Files\Zango C:\WINDOWS\SYSTEM32\PSHWR.EXE C:\Program Files\MailSkinner\ C:\WINDOWS\SYSTEM32\InstallerV3.exe C:\WINDOWS\SYSTEM32\kagtolwq_nav.dat C:\WINDOWS\kwv2.dat C:\WINDOWS\pcconfig.dat C:\PROGRAM FILES\dialers c:\documents and settings\mommy\favorites\1111 C:\Documents and Settings\Mommy\Application Data\Starware C:\WINDOWS\STWSI C:\Program Files\FCHelp C:\Program Files\knights_shiryu1\insthlp.dat C:\Program Files\TBONAS\TBONcomp.dll C:\WINDOWS\SYSTEM32\InstallerV3.exe C:\WINDOWS\SYSTEM32\InstallerV4.exe C:\WINDOWS\SYSTEM32\kagtolwq.exe C:\WINDOWS\SYSTEM32\lanbruns.exe C:\WINDOWS\SYSTEM32\lyzfmgqu.exe C:\WINDOWS\SYSTEM32\pshwr.exe C:\WINDOWS\SYSTEM32\vuwaqtf.exe C:\WINDOWS\SYSTEM32\zbvugea.exe Reboot into normal mode now. Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button). Follow the prompts to install the ActiveX controls It will say "Loading TrendMicro definitions". Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. If it offers a way to save results, please do, and post them here. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 01-18-2006 at 08:19 PM.