Please Help - Annoying Popup

Hi SkyMarshall, welcome to DaniWeb :D

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful).
If you have problems updating see here: http://www.ewido.net/en/download/updates/

Close the program (don't scan yet).

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode

Double-click on the Nailfix.bat on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with run Ewido (you will be posting the log from this scan later when back in normal mode). Note -- When you run Ewido for the first time, you will get a warning Database could not be found!, click OK when you do.

Reboot normally

Go to Add/Remove Programs in your Control Panel and remove (if found):

WebSpecials

Scan with hijackthis and have it fix the following entries:

O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejso32.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\system32\norway.exe -N
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [qtbads] c:\windows\system32\nytizr.exe
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Be sure to close any open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files and folders:

C:\WINDOWS\system32\picsvr
C:\Program Files\WebSpecials
C:\windows\system32\elitejso32.exe
C:\WINDOWS\system32\norway.exe
C:\windows\system32\nytizr.exe
C:\WINDOWS\svcproc.exe

Note: if any of these cannot be deleted, boot into Safe Mode and try from there.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Empty your Recycle Bin.

Do a search for new.exe and let us know where any entries are located.
Do you use Bittorrent?

Reboot (into normal mode), close any open browser windows, scan with hijackthis, and post a new log along with the log from the Ewido scan.

Hey, and thank you for the fast reply.
I have followed every step, and done the following:

C:\WINDOWS\system32\picsvr - DELETED
C:\Program Files\WebSpecials - NOT FOUND
C:\windows\system32\elitejso32.exe - NOT FOUND (but found "ELITEJSO32.EXE-0F14EC11.pf" in c:/windows/prefetch)
C:\WINDOWS\system32\norway.exe - NOT FOUND
C:\windows\system32\nytizr.exe - NOT FOUND
C:\WINDOWS\svcproc.exe - NOT FOUND (also located as *.pf in windows/prefatch)


Deleted windows/temp and c:/temp and searched for all *.tmp and deleted thos as well.
Did a scan for "new.exe" ... but it wasn't located anywhere :)


Files that could not be deleted from Local/temp:
- Perflib_Perfdata_818
- Perflib_Perfdata_79c

And as for your question about bittorrent: There has been no *.torrent-files in any shape or form on my drives since my last format. I did a check in add/remove programs, and I could not find any webspecials or anything else I don't know what is.

--------------------------HIJACK THIS - LOG
Logfile of HijackThis v1.99.1
Scan saved at 13:25:44, on 05/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\DeamonTools 3.47\daemon.exe
C:\Programfiler\MessengerPlus! 3\MsgPlus.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\3Com\Launcher.exe
C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Fellesfiler\3Com\LanSupportService.exe
C:\Programfiler\Fellesfiler\3Com\AllWirelessLansService.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inpoc.no/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\DeamonTools 3.47\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Realmpegacidrule] C:\Documents and Settings\All Users\Programdata\shim bind real mpeg\Twotime.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [xncvrq] c:\windows\system32\urfystk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [acidace] C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1\less new.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: 3Com Launcher.lnk = C:\Programfiler\3Com\Launcher.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108507973919
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: 3Com Wireless LAN Support (AllWirelessLansService) - 3Com Corp. - C:\Programfiler\Fellesfiler\3Com\AllWirelessLansService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\Ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: 3Com LAN Support (LanSupportService) - 3Com Corporation - C:\Programfiler\Fellesfiler\3Com\LanSupportService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programfiler\Fellesfiler\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


------------------------------EWIDO SCAN RESULTS
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           12:57:17, 05/27/2005
+ Report-Checksum:      2D8412C2


+ Date of database:     05/27/2005
+ Version of scan engine:   v3.0


+ Duration:             15 min
+ Scanned Files:            76283
+ Speed:                83.23 Files/Second
+ Infected files:           29
+ Removed files:            29
+ Files put in quarantine:      29
+ Files that could not be opened:   0
+ Files that could not be cleaned:  0


+ Binder:       Yes
+ Crypter:      Yes
+ Archives:     Yes


+ Scanned items:
C:\
D:\
E:\
F:\
G:\


+ Scan result:
C:\Documents and Settings\SkyMarshall\Cookies\skymarshall@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Cookies\skymarshall@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Cookies\skymarshall@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\Del417.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\download-mattie--.exe -> Spyware.MediaMotor.a -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\firlnin.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\NNCLXA638.EXE -> Spyware.NewDotNet -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\res37C.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\res418.tmp -> Spyware.180Solutions -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\simpletraffic.exe -> TrojanDropper.Small.nm -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\temp.fr1C00 -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\temp.fr8FCD -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\temp.frABA8\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\uninstall.exe -> Spyware.EliteBar.q -> Cleaned with backup
C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temp\uppicsvr.exe -> TrojanDownloader.Delmed.b -> Cleaned with backup
C:\Programfiler\Fellesfiler\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\WINDOWS\mm63.ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\norway.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\seeve.exe -> Spyware.MediaMotor.f -> Cleaned with backup
C:\WINDOWS\system32\elitejso32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitenjl32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\norway.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\system32\nytizr.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\picsvr\picsvr.exe -> TrojanDownloader.Delmed.b -> Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\unregister.exe -> Spyware.VB.f -> Cleaned with backup
C:\WINDOWS\system32\urfystk.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\tdhvpaedc.exe -> Spyware.BetterInternet -> Cleaned with backup



::Report End
--------------------

I do however get an error on boot now when entering windows, that windows can't locate "nail.exe" ... should I just delete the "nail"-folders?

Thanks :)

You have a few things there that need removing...

-

First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm

Uninstall Messenger Plus as it comes bundled with LOP, one of the infections you currently enjoy :). You can reinstall Messenger Plus without the sponsor.

-

Run HiJackThis and click "Scan", then check(tick) the following, if present:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [Realmpegacidrule] C:\Documents and Settings\All Users\Programdata\shim bind real mpeg\Twotime.exe
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\SkyMarshall\Lokale innstillinger\Temporary Internet Files\Content.IE5\6NUDG7CF\delf061225[1].exe
O4 - HKLM\..\Run: [xncvrq] c:\windows\system32\urfystk.exe
O4 - HKCU\..\Run: [acidace] C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1\less new.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\Nail.exe
c:\windows\system32\urfystk.exe

folders...
C:\Documents and Settings\All Users\Programdata\shim bind real mpeg
C:\DOCUME~1\SKYMAR~1\PROGRA~1\FINDSU~1

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.