There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post hijack this log ......
Go to first new post Trojan virus
Go to first new post "svchost application error 0x6fe217 ...
Go to first new post Cannot access any google sites - youtube ...
Go to first new post My computer is slowly dying
Go to first new post Trojan Hider
Go to first new post System Check problem
Go to first new post We Got System Checked :-(
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Incredibar Removal - Support Pls!
Go to first new post need help regarding malware/spyware
Go to first new post Somethings Amiss....
Go to first new post Family Cyber Removal
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Tag Cloud
access acer asus bios bsod computer crash drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
HELP!!!Can't stop popups (New)

Page 1 of 2 1 2
Reply  
Thread Tools
Dtom4's Avatar
Junior Member with 18 posts.
  
Join Date: Oct 2004
Location: CT
Experience: Beginner
21-Oct-2004, 10:20 AM #1
Angry HELP!!!Can't stop popups
OK-this is really getting to me. Apparently something has taken over my secondary computer. I get unrelenting popups. Every few minutes a series of 5 or 6 ads pops up. If I'm away from the computer for a short period I come back to 20-30 ads. I've run Spybott and Ad-Aware a bunch of times. Spybott couldn't get rid of Vbouncer but I looked up how to remove it. Thought it was gone since it didn't show up anymore on Spybott but ran popup manager which found about 30 infections including about 10 from vbouncer. Still not helping. Now Spybott keeps telling me I have DSO Exploit and can't seem to get rid of it. I feel like I'm trying to stop a tidal wave. Any help would be GREATLY appreciated. Thanks

Dave T.
WIN98

PS-I've also run spyware doctor-nothing helps!!!
Register for free to hide this ad!
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,222 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
21-Oct-2004, 10:34 AM #2
go to http://www.thespykiller.co.uk/files/HijackThis.exe and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Dtom4's Avatar
Junior Member with 18 posts.
  
Join Date: Oct 2004
Location: CT
Experience: Beginner
21-Oct-2004, 10:55 AM #3
Derek:
Many thanks for your reply. I did as you instructed and here is the log. Any help is greatly appreciated.

Dave



Logfile of HijackThis v1.98.2
Scan saved at 9:48:59 PM, on 10/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\BAYRTK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MY DAILY HOROSCOPE\MYDAILYHOROSCOPE.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=CookieCop:8100
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\bayrtk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
O4 - Startup: Click to Remove Spyware.lnk = C:\WINDOWS\RUNDLL32.EXE
O4 - Startup: igytwl.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Dots - http://yog2.yahoo.com/yog/y/dtq0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://yog18.yahoo.com/yog/y/ywq0_x.cab
O16 - DPF: Yahoo! Checkers - http://yog14.yahoo.com/yog/y/kq0_x.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: Yahoo! Word Racer - http://yog20.yahoo.com/yog/y/wq0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt0_x.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
Dtom4's Avatar
Junior Member with 18 posts.
  
Join Date: Oct 2004
Location: CT
Experience: Beginner
21-Oct-2004, 10:15 PM #4
Help???
Anyone??? Please help!!!!!!!!!!

Dave T.
Michael Wayn's Avatar
Junior Member with 16 posts.
  
Join Date: Oct 2004
21-Oct-2004, 10:23 PM #5
were you running any spyware programs when you did this? I see two things off the bat that stick out if that's not the case.
Dtom4's Avatar
Junior Member with 18 posts.
  
Join Date: Oct 2004
Location: CT
Experience: Beginner
21-Oct-2004, 11:32 PM #6
Quote:
Originally Posted by Michael Wayn
were you running any spyware programs when you did this? I see two things off the bat that stick out if that's not the case.
I wasn't but now that you mention it I think they run in the background. I guess I need to disable them and run HighJack this again and repost? Thanks

dave
Dtom4's Avatar
Junior Member with 18 posts.
  
Join Date: Oct 2004
Location: CT
Experience: Beginner
21-Oct-2004, 11:56 PM #7
Here's the scan log without the spyware programs running. Thanks again.

Logfile of HijackThis v1.98.2
Scan saved at 10:51:02 PM, on 10/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\BAYRTK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=CookieCop:8100
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\bayrtk.exe
O4 - Startup: igytwl.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Dots - http://yog2.yahoo.com/yog/y/dtq0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://yog18.yahoo.com/yog/y/ywq0_x.cab
O16 - DPF: Yahoo! Checkers - http://yog14.yahoo.com/yog/y/kq0_x.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: Yahoo! Word Racer - http://yog20.yahoo.com/yog/y/wq0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt0_x.cab
O16 -
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,222 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
22-Oct-2004, 11:39 AM #8
Please ignore well meanuing advice from beginners and let's start from the beginning again

Post a new hijackthis log WITH everything running

never ever disable any programs before posting the log so we can see what we are dealing with
Dtom4's Avatar
Junior Member with 18 posts.
  
Join Date: Oct 2004
Location: CT
Experience: Beginner
22-Oct-2004, 12:38 PM #9
Quote:
Originally Posted by dvk01
Please ignore well meanuing advice from beginners and let's start from the beginning again Post a new hijackthis log WITH everything running
never ever disable any programs before posting the log so we can see what we are dealing with
The first log i posted is the way the system was normally running. The 2nd log is with everything in the sys tray disabled. The one I am posting now is with EVERYTHING enabled. I went into MSCONFG>startup and enabled everything. Not sure if that was the right process. Sorry if not-rememeber I'm not very savy at this. Thanks for any help you can provide. I was just about to give it a try fixing it myself. Scary thought..

Logfile of HijackThis v1.98.2
Scan saved at 11:28:32 AM, on 10/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\BAYRTK.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCREDIMAIL.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\WINDOWS\SYSTEM\DLC32.EXE
C:\WINDOWS\SYSTEM\LTIGEROUS CREATURES.EXE
C:\PROGRAM FILES\MY DAILY HOROSCOPE\MYDAILYHOROSCOPE.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\DESKTOP DELUXE\PROGRAM\MCDTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FREXT.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=CookieCop:8100
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\bayrtk.exe
O4 - HKLM\..\Run: [Create A Monster] C:\Program Files\Kudd.com\createAMonster.exe -run
O4 - HKLM\..\Run: [Gator] "C:\Program Files\Gator.com\Gator\Offers.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BackWeb] c:\program files\backweb\backweb\program\backweb.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Wireless 4D Mouse\4DMAIN.EXE -startup
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [hoadgbw] C:\WINDOWS\kjberup.exe
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\Run: [p39X36U] DLC32.EXE
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [dkmrxxuazh] C:\WINDOWS\SYSTEM\dicjyx.exe
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Y0q7RWYng] LTIGEROUS CREATURES.EXE
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: igytwl.exe
O4 - Startup: Media Changer Tray Icon.lnk = C:\Program Files\Desktop Deluxe\PROGRAM\MCDTray.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: Microsoft Office.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: Click to Remove Spyware.lnk = C:\WINDOWS\RUNDLL32.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Dots - http://yog2.yahoo.com/yog/y/dtq0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://yog18.yahoo.com/yog/y/ywq0_x.cab
O16 - DPF: Yahoo! Checkers - http://yog14.yahoo.com/yog/y/kq0_x.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: Yahoo! Word Racer - http://yog20.yahoo.com/yog/y/wq0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt0_x.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,222 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
22-Oct-2004, 02:02 PM #10
Now we can see what we are dealing with we can remove them for you

the ones I have said to fix with HJT and NOT to also delete the files are not bad programs but just don't need to be started and running all the time

first download the registry file, spydel.reg, from the following link and save it to your desktop:

http://www.bleepingcomputer.com/foru...=post&id=22871

double click it and allow it to be merged to the registry

then

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\bayrtk.exe
O4 - HKLM\..\Run: [Create A Monster] C:\Program Files\Kudd.com\createAMonster.exe -run
O4 - HKLM\..\Run: [Gator] "C:\Program Files\Gator.com\Gator\Offers.exe"

O4 - HKLM\..\Run: [BackWeb] c:\program files\backweb\backweb\program\backweb.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [hoadgbw] C:\WINDOWS\kjberup.exe
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\Run: [p39X36U] DLC32.EXE
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [dkmrxxuazh] C:\WINDOWS\SYSTEM\dicjyx.exe
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKCU\..\Run: [Y0q7RWYng] LTIGEROUS CREATURES.EXE
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Startup: igytwl.exe

O4 - Startup: Microsoft Office.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: Click to Remove Spyware.lnk = C:\WINDOWS\RUNDLL32.EXE


Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT...01052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

C:\WINDOWS\bayrtk.exe
C:\WINDOWS\kjberup.exe
C:\WINDOWS\SYSTEM\idctup20.exe
C:\WINDOWS\SYSTEM\dicjyx.exe
C:\WINDOWS\CONSCORR.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\SYSTEM\igytwl.exe
C:\WINDOWS\SYSTEM\DLC32.EXE
C:\WINDOWS\SYSTEM\LTIGEROUS CREATURES.EXE

and Delete these folders

C:\Program Files\Gator.com
C:\PROGRAM FILES\SED
c:\Program Files\AutoUpdate
C:\PROGRAM FILES\VBOUNCER\
C:\PROGRAM FILES\MY DAILY HOROSCOPE

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it (repeat for every user name/account )

and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well and everything in C:\temp

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then
Reboot normally &

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de
AdAware SE from http://www.lavasoft.de/support/download

and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml

and run it before the main adaware scan and follow it's directions

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R13 16.10.2004 or a higher number/later date
Then ........
click the "Scan" button. and select full scan

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries. You can safely ignore any MRU entries though and not delete them

reboot again

Run an online antivirus check from at least one and preferably 2 of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://www.freedom.net/viruscenter/o...iruscheck.html
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

reboot again

then post a new hijackthis log to check what is left
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Dtom4's Avatar
Junior Member with 18 posts.
  
Join Date: Oct 2004
Location: CT
Experience: Beginner
22-Oct-2004, 05:30 PM #11
Quote:
Originally Posted by dvk01
Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT...01052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

C:\WINDOWS\bayrtk.exe
C:\WINDOWS\kjberup.exe
C:\WINDOWS\SYSTEM\idctup20.exe
C:\WINDOWS\SYSTEM\dicjyx.exe
C:\WINDOWS\CONSCORR.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\SYSTEM\igytwl.exe
C:\WINDOWS\SYSTEM\DLC32.EXE
C:\WINDOWS\SYSTEM\LTIGEROUS CREATURES.EXE

and Delete these folders

C:\Program Files\Gator.com
C:\PROGRAM FILES\SED
c:\Program Files\AutoUpdate
C:\PROGRAM FILES\VBOUNCER\
C:\PROGRAM FILES\MY DAILY HOROSCOPE

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it (repeat for every user name/account )

and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well and everything in C:\temp
Derek:
I am up to this point and so far so good. I have rebooted in safe mode but do not have a folder option in Explorer tools. Is there another way of getting to these hidden files and folders or am I doing something wrong. Thanks again.

Dave
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
22-Oct-2004, 06:10 PM #12
Try My Computer instead of Windows Explorer and see if you have the option there.
Dtom4's Avatar
Junior Member with 18 posts.
  
Join Date: Oct 2004
Location: CT
Experience: Beginner
22-Oct-2004, 06:13 PM #13
Ignore my previous post.I'm an idiot. I found the folder option and clicked show all files and unchecked hide extensions for known file types. There was no "show hidden files and folders" or "hide protected operation system files" line. I clicked ok but of the files you indicated to delete I could only fined 2-Crogram files/sed and C: program/mydaily horoscope which I deleted. I will continue looking. Thanks again

Dave
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
22-Oct-2004, 06:20 PM #14
When you are done and have rebooted post another log.
Dtom4's Avatar
Junior Member with 18 posts.
  
Join Date: Oct 2004
Location: CT
Experience: Beginner
22-Oct-2004, 09:10 PM #15
OK-I've done everything on the list and the ads still keep coming. As I said I couldn't find most of the files on the delte list. Also when I run Spybot I get "DSO Exploit" Dataource object\default\software micrsoft\windows\current version\internet settings\zones\0\1004 !=3
When I run fix it says it is fixed but its alsways still there when I run Spybot again. It had been doing this earlier also. Thanks for all the help. I'm getting real desparate.

Logfile of HijackThis v1.98.2
Scan saved at 7:58:23 PM, on 10/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCREDIMAIL.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\DESKTOP DELUXE\PROGRAM\MCDTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=CookieCop:8100
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\Wireless 4D Mouse\4DMAIN.EXE -startup
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Media Changer Tray Icon.lnk = C:\Program Files\Desktop Deluxe\PROGRAM\MCDTray.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Dots - http://yog2.yahoo.com/yog/y/dtq0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://yog18.yahoo.com/yog/y/ywq0_x.cab
O16 - DPF: Yahoo! Checkers - http://yog14.yahoo.com/yog/y/kq0_x.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: Yahoo! Word Racer - http://yog20.yahoo.com/yog/y/wq0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt0_x.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 2 1 2

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 03:08 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.