Random popups in IE even when browser is closed

[gbc1989]

Hi,

I get these random IE popups from registry defender, yellow pages, pcantivrus, etc. Even when the browser is closed, i get these popups. I know i probably have a Adware lop or something like that, so here is my hijack this log.

ANy help would be appreciated.

 

[Bobbye]

This may not do much good as it is necessary to run additional programs, but to handle the current HijackThis log:
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:6502
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

It appears that you may have had the McAfee Security Suite at one time. But if you uninstalled it, it wasn't complete.
Have HijackThis remove the entries with above first:

McAfee QuickClean Imonitor is not necessary for startup. It is usually run infrequently and can be started manually if needed.
Additional Info: McAfee QuickClean 3.0 - removes internet clutter and unwanted programs
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe>> oasclnt.exe is a process belonging to McAfee Internet Security suite
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5156/mcfscan.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK all McAfee related processes> Apply> OK.

Control Panel> Add/Remove Programs> UNINSTALL the McAfee Suite.

Reboot into Normal Mode. You will get a nag message that you can ignore after checking 'don't show this message again'. Stay in Selective Startup.

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 11 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Remove the older versions of Java:

Please follow the steps here and then post all three logs:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

HijackThis alone is not sufficient. You will need to rescan with HijackThis AFTER Malwaebytes and SuperAntispyware. We will deal with additional entries dependent on all the logs.

 

[gbc1989]

Hi again,

I followed some of your steps and was able to delete some of the entries from Hijack this. Then my computer just shutdown because of a thermal event and I will work on this asap and get you those logs tomorrow.

Thanks

 

[Bobbye]

Best to have everything else closed on the system while running the malware cleaning programs. But don't worry if you can't remove the HijackThis entries at this time. We can do it after I see the logs for all 3 programs.

It would be a good idea though to handle the McAfee and update the Java, as those can cause security issues.

 

[gbc1989]

I think i followed all the steps in order and here are the results in logs. Thanks for the input so far!

 

[gillianbrown]

Why have you gone from running a current version of HJT to using an outdated version?

Make sure you have the LATEST version of HJT (currently 2.0.0.2) from HERE.

Double-click on the file you just downloaded.
Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Please do not change the default install location.

[center]Very Important.[/center]

You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.

Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.

Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".

You can now close the HJT directory.

Please post a fresh HJT log.

 

[Tedster]

what does your antivirus and anti-trojan programs say?

 

[gbc1989]

Here you go, I had a mix up. This is the new Hijack this version's log.

 

[gillianbrown]

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

scourtoolbar

Close control panel.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {2B2B96D8-7634-4799-AD47-85E621EB8884} - (no file)

O2 - BHO: Scour Toolbar - {A057A204-BACC-4D26-9A9E-3AF287E2699B} - C:\PROGRA~1\SCOURT~1\SCOURT~1.DLL

O3 - Toolbar: Scour Toolbar - {A057A204-BACC-4D26-9A9E-3AF287E2699B} - C:\PROGRA~1\SCOURT~1\SCOURT~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL,dpxwqr.dll,avgrsstx.dll mnidvt.dll

O20 - Winlogon Notify: nnnomjj - nnnomjj.dll (file missing)

O20 - Winlogon Notify: pmnmnkkI - pmnmnkkI.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\PROGRA~1\scourtoolbar<Delete the entire folder.

Reboot your system.

Post a fresh HJT log and let us know if you're still having problems.

 

[Bobbye]

I'd like to suggest running the Vundo Fix:
VundoFix:

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
5. When completed, it will prompt that it will reboot your computer, click OK.
6. Please attach the C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

 

[gbc1989]

bobbeye i ran the vundo fix. it found nothing infected.

gillianbrown, i did what u said and here's the HJT log.

 

[gbc1989]

bobbeye i ran the vundo fix. it found nothing infected.

gillianbrown, i did what u said and here's the HJT log.

here's the log

 

[Bobbye]

gbc1989, please use the Edit function when you have something to add, rather than making a separate post. The log is clean but here are some suggestions that will allow faster startup, faster surfing and faster shutdown:

Suggested programs and processes to UNCHECK on the Start menu:
If you decide to do this, reopen HijackThis and scan. CHECK each of the processes.
Then close all Windows except HijackThis and click Fix Checked and boot into Safe Mode.

Remove any of the entries on Startup:
Start> Run> msconfig> enter> Selective Startup Startup tab: UNCHECK each related process> Apply> OK.
The do the Services as instructed:
NONE of these need to start on boot:
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper>> ASIO (Audio Stream In/Out) drivers for the SoundBlaster Audigy 2 series soundcards - for recording and home project studios

3 Media Player on start:

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

Active X Objects:

This are virus scans running in the background:
Open IE> Tools> Manage Add-ons> find each of these> highlight> disable
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5156/mcfscan.cab

Services: Startup Type can be changes to Manual to start only as needed:

Start> Run> services.msc> right click> Properties in each Service> change startup to Manual:
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - (no file)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe>> Printer monitor for Dell printers.
Printers:

Do you use both Dell and Lexmark printers? Neither need to load on boot, if one is no longer being used it should be uninstalled.
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe>> Lexmark Print Tray Icon.
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16

Uninstall any programs (or printers) you are no longer using. Reboot into Normal Mode****
***NOTE: when you reboot, you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

Update Adobe:

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

Disable QuickTime:

Open QuickTime.
Click Edit, point to Preferences, and then click QuickTime Preferences.
Now use the dropdown box to adjust Preferences.
You need to disable (usually uncheck) all boxes related to Auto Updates,
Tray Icon, other Automatic features, etc.
Close the window when you are done.
Close QuickTime.

 

[gillianbrown]

Your HJT log is clean.

However, you can disable the entries as pointed out by Bobbey if you so wish.

 

[gbc1989]

thanks guys for the help! bobbye thanks for your extra suggestions, ill be on those right away.

 

[gbc1989]

Guys, I have a follow up question because I was trying to uninstall one video game called " Star Wars II Jedi Outcast" with the CCleaner, but it would not uninstall it because " an installation support file could not be installed, catastrophic failure"

is there a manual way to do this?

 

[Bobbye]

The proper way to uninstall " Star Wars II Jedi Outcast" would be:
First: use the game uninstaller if it has one.
2. If not, use Add/Remove Programs in the Control Panel.

I don't recommend CCleaner or any other cleaner to do a full uninstall, only to remove left over files that can't be deleted. I need the exact 'catastrophic fsilure' message. If there is not more to it, check the Event Viewer for Error that corresponds to the failed uninstall. Most likely you have damaged the installer by improperly trying to uninstall. You may have to reinstall in order to uninstall.

For the Event Viewer:
Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
1. Click to open the log>
2. Look for the Error>
3 .Right click on the Error> Properties>
4. Click on Copy button, top right, below the down arrow
5. Paste here (Ctrl V)

Please ignore Warnings and Information Events. you do not need to include the lines of code-if any-in the box below the Description. We are only looking for the specific Error-if any-that corresponds to this message

 

[smsmsm]

Same issue

Hi there,

I got the same issue. I ran L2M destroyer and then the HJT, but there are still IE pop-ups.
Can I get some help please... thanks

 

[Bobbye]

Can I get some help please... thanks

Yes, but it needs to be on your own thread. Tell us you specific problem and please include system specs. You have several questionable and unidentifiable entries in the HijackThis log. That program alone is not sufficient to look for and clean malware.

Please see this and follow the steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
After running Malwarebytes and SuperAntispyware, rescan with HijackThis, then attach all three logs:

 

[gbc1989]

I could not find the error related to the "catastrophic failure" but I did printscreen the error when i tried to uninstall it.

 

[gillianbrown]

Try reinstalling Star Wars II Jedi Outcast, then uninstalling via add remove programmes again.

 

[Bobbye]

Okay, as thought, the installer has been damaged.

Use the Windows Installer Cleanup Utility. It's a small download that you Save to the desktop, then run (install) from there. Once done, open the program find " Star Wars II Jedi Outcast" and remove from there:

http://support.microsoft.com/default.aspx?scid=kb;en-us;290301