1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please help, unusual pop-ups

Discussion in 'Virus & Other Malware Removal' started by tifosiv122, Nov 7, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. tifosiv122

    tifosiv122 Thread Starter

    Joined:
    May 22, 2003
    Messages:
    5
    Recently my browser was hijacked...I cleaned the file (I think) ran ad-aware and spybot. Cleaned everything. Now I am still getting random pop ups on sites I know don't use them. When I run ad-aware and spybot these keep coming back:

    Avenue A cookie
    Double click cookie
    mediaplex cookie

    I use ebates, so please don't tell me to remove it...otherwise does anyone see the bad party in the list?

    Thanks,
    Erik


    Here is my hijack this:

    Logfile of HijackThis v1.97.3
    Scan saved at 11:04:35 AM, on 11/7/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\System32\wjview.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\72498720.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\Documents and Settings\Erik Cohen\Desktop\WinVNC\WinVNC.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Erik Cohen\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [1Sys32Cfg] C:\Program Files\ExploreAnywhere\NETObserve\netobserve.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Startup: Shortcut to WinVNC.exe.lnk = C:\Documents and Settings\Erik Cohen\Desktop\WinVNC\WinVNC.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
    O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Ebates (HKCU)
    O16 - DPF: JSyn Audio - http://www.softsynth.com/jsyn/plugins/archives/jsynv142.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\ERIKCO~1\LOCALS~1\Temp\ThereInstallHelper.dll
    O16 - DPF: {8B486EF6-6B2A-4A1E-BB0D-236CB2DBB8D2} (There Voice Trainer) - file://C:\Program Files\There\ThereClient\ThereVoiceTrainer.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37600.6220486111
    O16 - DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} (There Launcher) - file://C:\Program Files\There\ThereClient\ThereLauncher.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    My guess is that the problem might be associated with this running process:

    C:\WINDOWS\System32\72498720.exe

    However I do not see where it is starting from so it may be loaded by one of the programs in the Scanlog.

    Is ExploreAnywhere an installation of yours? This is a stealth mode pc monitoring tool.

    I would restart in Safe Mode and go to c:\windows\system and rename 72498720.exe to a .bak extension so that it fails to load. You may get a file missing message if something calls it but does not find it. It may be starting as a "service". We would have to see a post of the Startuplist (not the Scanlog) with "show minor sections" ticked to see what services are configured. To show that, click Config>Misc Tools, and check "show minor sections". Then click Generate Startuplist.


    If the file gets recreated, then something in your startups is doing it, possibly ExploreAnywhere, since netobserve.exe does NOT show as a process.

    You should also check and "fix" this item in HijackThis:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    You really don't need to be concerned about the "tracking" cookies.

    edit I recall now another thread which had one of those "numbered" exes that did not show in the Scanlog startups.

    Can you follow the instructions here to also display the text file of the registry entries in the Run folder:

    http://forums.techguy.org/showthread.php?postid=1205813#post1205813
     
  3. Javacool

    Javacool

    Joined:
    Jan 17, 2003
    Messages:
    27
    You are going to want to check and remove this one:

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB

    It's a new DynamicDesktopMedia variant.

    Best regards,

    -Javacool
     
  4. tifosiv122

    tifosiv122 Thread Starter

    Joined:
    May 22, 2003
    Messages:
    5
    Thanks for your help...but I still have the random #.exe file problem. I looked at the other thread and the file they speak of is not on my list (syscpy.exe)...do you guys see any other unusual one?

    Logfile of HijackThis v1.97.3
    Scan saved at 9:01:07 AM, on 11/8/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\System32\wjview.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\WINDOWS\System32\93954104.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\Documents and Settings\Erik Cohen\Desktop\WinVNC\WinVNC.exe
    C:\Program Files\EbatesMoeMoneyMaker\EbatesMoeMoneyMaker.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Erik Cohen\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Startup: Shortcut to WinVNC.exe.lnk = C:\Documents and Settings\Erik Cohen\Desktop\WinVNC\WinVNC.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
    O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Ebates (HKCU)
    O16 - DPF: JSyn Audio - http://www.softsynth.com/jsyn/plugins/archives/jsynv142.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\ERIKCO~1\LOCALS~1\Temp\ThereInstallHelper.dll
    O16 - DPF: {8B486EF6-6B2A-4A1E-BB0D-236CB2DBB8D2} (There Voice Trainer) - file://C:\Program Files\There\ThereClient\ThereVoiceTrainer.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37600.6220486111
    O16 - DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} (There Launcher) - file://C:\Program Files\There\ThereClient\ThereLauncher.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It might be another file name. Can you give me a text file copy/paste of the registry folder that I asked for in the other thread. And just for good measure, go to Start and run msinfo32

    Click on Software Environment, then Startup Programs. Then click Edit > Select All > Edit > Copy and paste the copied text here as well.

    And did you try deleting this file in Safe Mode:

    93954104.exe in the c:\windows\system32 folder.

    If you have trouble starting in Safe Mode, just run msconfig and open the boot.ini tab and put a check in /safeboot. This will have to be unchecked to return to normal.

    edit I see the file name changed "numbers". Had you deleted the previous one, and was the deletion done in Safe Mode?
     
  6. tifosiv122

    tifosiv122 Thread Starter

    Joined:
    May 22, 2003
    Messages:
    5
    Yes. I deleted the #.exe in safe mode...a new different # comes up. When I close it out I no longer get the pop-ups, so that is the problem. It comes back new and reloads each time with windows.

    I am sorry i didn't give you the log you wanted before...here it is:

    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Class Name: <NO CLASS>
    Last Write Time: 11/8/2003 - 8:52 AM
    Value 0
    Name: NvCplDaemon
    Type: REG_SZ
    Data: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    Value 1
    Name: UpdReg
    Type: REG_SZ
    Data: C:\WINDOWS\UpdReg.EXE

    Value 2
    Name: DwlClient
    Type: REG_SZ
    Data: C:\Program Files\Common Files\Dell\EUSW\Support.exe

    Value 3
    Name: EbatesMoeMoneyMaker
    Type: REG_SZ
    Data: wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"

    Value 4
    Name: CloneCDElbyCDFL
    Type: REG_SZ
    Data: "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

    Value 5
    Name: Logitech Utility
    Type: REG_SZ
    Data: Logi_MwX.Exe

    Value 6
    Name: CoolSwitch
    Type: REG_SZ
    Data: C:\WINDOWS\System32\taskswitch.exe

    Value 7
    Name: nwiz
    Type: REG_SZ
    Data: nwiz.exe /install

    Value 8
    Name: Win-Hand
    Type: REG_SZ
    Data: C:\Documents and Settings\Erik Cohen\Desktop\Win-HandFreeSer.exe

    Value 9
    Name: LogitechVideoRepair
    Type: REG_SZ
    Data: C:\Program Files\Logitech\Video\ISStart.exe

    Value 10
    Name: LogitechVideoTray
    Type: REG_SZ
    Data: C:\Program Files\Logitech\Video\LogiTray.exe

    Value 11
    Name: iTunesHelper
    Type: REG_SZ
    Data: C:\Program Files\iTunes\iTunesHelper.exe

    Value 12
    Name: QuickTime Task
    Type: REG_SZ
    Data: "C:\Program Files\QuickTime\qttask.exe" -atboottime

    Value 13
    Name: AOLDialer
    Type: REG_SZ
    Data: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    Value 14
    Name: Belt
    Type: REG_SZ
    Data: C:\WINDOWS\Belt.exe

    Value 15
    Name: 61112612.exe
    Type: REG_SZ
    Data: C:\WINDOWS\System32\61112612.exe


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
    Class Name: <NO CLASS>
    Last Write Time: 11/15/2001 - 9:19 AM

    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
    Class Name: <NO CLASS>
    Last Write Time: 11/15/2001 - 9:19 AM
    Value 0
    Name: Installed
    Type: REG_SZ
    Data: 1


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
    Class Name: <NO CLASS>
    Last Write Time: 11/15/2001 - 9:19 AM
    Value 0
    Name: Installed
    Type: REG_SZ
    Data: 1

    Value 1
    Name: NoChange
    Type: REG_SZ
    Data: 1


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
    Class Name: <NO CLASS>
    Last Write Time: 11/15/2001 - 9:19 AM
    Value 0
    Name: Installed
    Type: REG_SZ
    Data: 1
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, here we have something:

    Value 15
    Name: 61112612.exe
    Type: REG_SZ
    Data: C:\WINDOWS\System32\61112612.exe

    Whether this is a "stable" value or is changing with every deletion or startup I don't know.

    Here's what I'd like you to do. In Safe Mode, run regedit and navigate to:

    Hkey_Local_Machine
    Software
    Microsoft
    Windows
    CurrentVersion
    RUN

    With the Run folder highlighted look in the right hand pane for 61112612.exe or ANY numbered exe's and right click on it delete it.

    Then go to the c:\windows\system32 folder and delete that exe and any and all numbered exe's you see there such as 93954104.exe

    Reboot and check to see if those exes have remained deleted by looking at your Task Manager (ctrl-alt-del) and at regedit.

    Post another Scanlog and registry text file both. Alternately you can post copy/pastes of Running Tasks and Startup Programs from msinfo32 following the directions I gave for that.
     
  8. IMM

    IMM

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    Belt.exe ?
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Thanks IMM, yes that's another mystery file. I vaguely recall seeing it before, but don't remember what if any association there was for it.

    I'd definitely put the kybosh on that as well.

    Yup, here it is:

    Program Name: Belt
    Executable Name: Belt.exe
    Required: NO!! Virus, spyware, or resource hog
    Comments: Abetterinternet adware related

    ref: http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM

    http://www.kephyr.com/spywarescanner/library/abetterinternet/index.phtml

    ^^ look for an uninstall in Add/Remove programs!
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/177656

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice