Could you please check these logs? Initially, I had problems with two popups - Starware and Getfound but it looks like that problem is gone. However, I can still hear anoying popups in the background even if none of my programs are running.

Thanks.

Attached Files

	hijackthis.log (9.3 KB, 3 views)
	Scan report_20060221.txt.txt (1.3 KB, 2 views)

Hi Bmit,

Welcome to PCHF. We have a wonderful group of techs here, and I know that we will be able to get rid of the rlms (rotton little monsters).

Thank you so much for following the instructions. I will take a look at your logs, and be back shortly.

TTFN

LGW

Hi Bmit,

One of the reasons you may be having popup problems is that your Windows Messenger is still enabled. Please download and run Shoot the Messenger to disable it.

The only thing showing under HJT, other than it appears you ran the scan in SafeMode, (it would be helpful to see a full scan in Normal Mode),is your MyWay install. There are some reports that it actually does install spyware onto your computer.
Let's try SpySweeper, and see if it locates any traces, that may be what's causing the problem, sometimes removing malware still leaves bits and pieces in the registry.

Download both SpySweeper, by Webroot, and RegSupremePro, from Macecraft(it's in my signature), they are both 30 day full trials, and excellent programs.

Install and run SpySweeper, under Options, choose the Sweep Options tab. Make sure that all options under What to Sweep are checked, except Do Not Sweep System Restore Folder. If you have more than one harddrive, or more than one partition, make sure that they are all selected. Click on Sweep, and Start. Allow it to clean everything that it finds. Please post the resulting log back here.

Once that has finished, if it is clean, install and run RegSupremePro, it will want to make a backup of your cab, let it. Click on the Registry Cleaner tab, and select Aggressive. When it has finished, click on Select, and choose All. Click on Fix, and let it fix everything that it finds.

We'll look forward to your reply,

TTFN

LGW

Hya guys. :smiley:

LGW , that Spysweeper link doesn't work anymore. They have discontinued that one , but this one still works:
(including a nice canned speech to use. )


Please download and install the trial version of Webroot SpySweeper (8.3mb)
http://www.webroot.com/shoppingcart/...011&vcode=DT02

When SpySweeper starts, please accept any prompts to update definitions.
Configure it as follows:
From the left pane, click Options
Select the Sweep Options tab & ensure the following are ticked:

*Sweep Memory
*Sweep Registry
*Sweep Cookies
*Sweep All Users accounts
*Do Not Sweep System Restore Folder
*Enable Direct Disk Sweeping
*Sweep contents of compressed files
*Sweep For Rootkits

-After that's done, select Sweep from the left pane & click on the Start button

Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.





But i have a feeling we are dealing with an Apropos rootkit here.

Please download AproposFix.exe - but do NOT run it yet.
http://swandog46.geekstogo.com/aproposfix.exe

Boot in safemode (hit f8 when booting up) and once in Safe Mode, double-click aproposfix.exe and unzip it to the desktop.

Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode.

Then post a new HijackThis log, along with the "log.txt" file in the aproposfix folder.

:smiley: Thanks for that Joe,

For the sake of edification, what are the signs that are making you think Apropos rootkit? We await your mighty wisdom. lol

LGW

Well , thats a tricky one..lol. The signs of an apropos rootkit are no signs in hjt or malware scanners being found , but still getting popups.

So , no visible signs and popups anyway.

Here is the Spy Sweeper log and the latest HJT in normal mode.

Thanks for your quick instructions.

Attached Files

	Spy Sweeper Session Log.txt (1.2 KB, 1 views)
	hijackthis.log (12.3 KB, 0 views)