TechSpot

My HJT log for IE pop-ups even though only using FF

By Fatguyenalilcoa
Jun 7, 2006
  1. I've done all the steps in the sticky at the top of this message board saying to do all those steps before posting a HJT log and all the steps from the "how to remove Begin2Search / Coolwebsearch and other nasties" thread. After all this about every 5 minutes I will get an IE pop up with an adress beginning with ad.XXXXX This is even though I don't have any IE windows open and I exclusively use FF. Please help this has been bothering me for weeks and I still can't fix it. Attached is my HJT log.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is badly infected with trojans etc.

    Go HERE and follow the instructions.

    Then, go HERE and do likewise.

    Post a fresh HJT log after doing the above.

    Regards Howard :)
     
  3. Fatguyenalilcoa

    Fatguyenalilcoa TS Rookie Topic Starter

    New HJT log

    I did the 2 things you said. The first one found some files which I removed but the second program didn't find any files. Heres the new HJT log from safe mode and after turning off system restore
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Network
    CMAPP
    Weather
    PartyGaming\PartyPoker

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    161C1B1A1C191A.exe
    ipnetwork.exe
    pshwr.exe
    cmappstub.exe
    rukmm.exe
    mc-58-12-0000106.exe
    svchostsys.exe
    Weather.exe
    RunApp.exe

    Close task manager.

    Click start/run and type regsvr32 /u C:\WINDOWS\system32\fpdrnznx.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.

    Do the same for these files as well.

    regsvr32 /u C:\WINDOWS\Lhupmbkl.dll

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0<Only fix this, if you haven`t set this proxy yourself, or you don`t know 2what it is.

    F2 - REG:system.ini: UserInit=userinit.exe

    O2 - BHO: Yvakt Class - {2335EA94-74D6-46B4-BA93-8567DAC6CC9B} - C:\WINDOWS\system32\fpdrnznx.dll

    O2 - BHO: (no name) - {2BDD0B40-46DF-B498-05BF-85477B0A0FE2} - C:\WINDOWS\Lhupmbkl.dll

    O2 - BHO: BMG3.LongTooth - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll (file missing)

    O4 - HKLM\..\Run: [C6CCCBCACCC9CAC9] 161C1B1A1C191A.exe

    O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe

    O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe

    O4 - HKCU\..\Run: [cmappstub] C:\Program Files\CMAPP\cmappstub.exe -run

    O4 - HKCU\..\Run: [rukm] C:\Program Files\Common Files\rukm\rukmm.exe

    O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000106.exe

    O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe

    O4 - Startup: Weather.lnk = C:\Program Files\Weather\Weather.exe

    O4 - Global Startup: Digital Line Detect.lnk = ?

    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site .cab?1121388702343

    Fix all 018 entries.

    O20 - AppInit_DLLs: Runner.dll,nemeilpb.dll,Runner.dll,Runner.dll,cmstart.dll,Runner.dll,cmstart.dll ,EQMini.dll,SDRunner.dll,Runner.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    C:\Program Files\Weather\Weather.exe
    C:\Program Files\Common Files\svchostsys\svchostsys.exe
    C:\Program Files\Common Files\mc-58-12-0000106.exe
    C:\Program Files\Common Files\rukm\rukmm.exe
    C:\Program Files\CMAPP\cmappstub.exe -run
    C:\WINDOWS\system32\pshwr.exe
    C:\Program Files\Network\ipnetwork.exe

    161C1B1A1C191A.exe you will need to do a search of your system to find this file.

    C:\WINDOWS\Lhupmbkl.dll
    C:\WINDOWS\system32\fpdrnznx.dll

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.


    Regards Howard :)
     
  5. Fatguyenalilcoa

    Fatguyenalilcoa TS Rookie Topic Starter

    Updated HJT log

    Ok, I followed your instructions exactly and here's my new HJT log.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    svchostsys.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\Program Files\Common Files\svchostsys\svchostsys.exe

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.


    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...