1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Popups Will Not Quit

Discussion in 'Virus & Other Malware Removal' started by bear_green, Sep 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. bear_green

    bear_green Thread Starter

    Joined:
    Aug 16, 2004
    Messages:
    7
    Im really not sure what the hell is going on with my computer, but these dang pop ups will not stop...... i have a popup stopper installed and it has always worked until lately.
    the pop ups even come up when i dont have internet explorer open.
    i have you spybot, ad-aware pro 6, and BPS spyware-adware remover.
    still they will not go away..... im posting my hijack this scan results, and maybe someone can help..... thanks in advance

    Logfile of HijackThis v1.98.2
    Scan saved at 9:37:57 PM, on 9/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\LVCOMSX.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINNT\system32\slserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hjt\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Thank God They Can't Cut Down The Sky
    R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL
    O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
    O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50060/QDow_AS2.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by14fd.bay14.hotmail.msn.com/activex/HMAtchmt.ocx
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-se...look=stmpl1&fw=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw=

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=

    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=

    R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL

    O1 - Hosts: 216.19.0.250 idenupdate.motorola.com

    O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H

    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50060/QDow_AS2.cab

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab


    Restart to safe mode and delete the C:\Program Files\se folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin

    Restart to safe mode.

    How to start your computer in safe mode


    Click here to download LspFix

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of lspak.dll (and nothing else) , and move them to the "Remove" pane.
    Then click Finish.

    Now start your computer in Safe Mode and delete:

    The C:\windows\system32\lspak.dll file



    Click Here and download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.
     
  3. bear_green

    bear_green Thread Starter

    Joined:
    Aug 16, 2004
    Messages:
    7
    Wow....... that was a task at least for me...... i hope i did it right....... here is the vx2 log....... thanks again (also for the fast reply)...........



    Log for VX2.BetterInternet File Finder (msg126)

    Files Found---
    C:\WINNT\System32\6bo4svc.dll
    C:\WINNT\System32\6go4svc.dll
    C:\WINNT\System32\6ho4svc.dll
    C:\WINNT\System32\6po4svc.dll
    C:\WINNT\System32\6xo4svc.dll
    C:\WINNT\System32\6yo4svc.dll
    C:\WINNT\System32\akledit.dll
    C:\WINNT\System32\alledit.dll
    C:\WINNT\System32\alvpack.dll
    C:\WINNT\System32\anmparse.dll
    C:\WINNT\System32\arctres.dll
    C:\WINNT\System32\atd.dll
    C:\WINNT\System32\ayd.dll
    C:\WINNT\System32\azctres.dll
    C:\WINNT\System32\azvpack.dll

    Additional Files---

    Keys Under Notify---
    crypt32chain
    cryptnet
    cscdll
    igfxcui
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    termsrv
    Winlogon
    wlballoon


    Guardian Key--- is called: Winlogon
    Asynchronous 000
    DllName C:\WINNT\system32\alvpack.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 126
    ID {52B0F602-C361-4801-B241-30C3D87A06F0}
    IDex DS3

    User Agent String---
    {52B0F602-C361-4801-B241-30C3D87A06F0}
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    IMPORTANT!: Before you run this tool please close ALL running programs. Sign off and stay off the internet until the entire procedure is complete.


    Now run VX2Finder again and click on the Find VX2.Betterinternet button. It will display the entries as before. Select all these files

    C:\WINNT\System32\6bo4svc.dll
    C:\WINNT\System32\6go4svc.dll
    C:\WINNT\System32\6ho4svc.dll
    C:\WINNT\System32\6po4svc.dll
    C:\WINNT\System32\6xo4svc.dll
    C:\WINNT\System32\6yo4svc.dll
    C:\WINNT\System32\akledit.dll
    C:\WINNT\System32\alledit.dll
    C:\WINNT\System32\alvpack.dll
    C:\WINNT\System32\anmparse.dll
    C:\WINNT\System32\arctres.dll
    C:\WINNT\System32\atd.dll
    C:\WINNT\System32\ayd.dll
    C:\WINNT\System32\azctres.dll
    C:\WINNT\System32\azvpack.dll


    This time click on the Delete these files button. It will give you a message about one file to be deleted on reboot.
    It will ask to reboot to delete the last file. Go ahead and Restart the computer

    After it reboots run VX2Finder again and click on the User Agent button and it will delete the user agent string.

    Next click on the Guardian.reg button and it will delete the Guardian Key.

    Finally click the Restore Policy button to restore the Debug policy altered in the look2Me installation.

    Restart your computer


    Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.


    Run VX2Finder again. This time click on the Make Log button as you did before and also click on the Hosts Log button. Copy and paste both of those logs here in your next reply along with another Hijack This log as well.
     
  5. bear_green

    bear_green Thread Starter

    Joined:
    Aug 16, 2004
    Messages:
    7
    alright here it is...... all three logs....... again i really apreciate your help

    Log for VX2.BetterInternet File Finder (msg126)

    Files Found---
    C:\WINNT\System32\6io4svc.dll
    C:\WINNT\System32\6mo4svc.dll
    C:\WINNT\System32\6vo4svc.dll

    Additional Files---

    Keys Under Notify---
    crypt32chain
    cryptnet
    cscdll
    igfxcui
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    termsrv
    wlballoon


    Guardian Key--- is called:

    User Agent String---

    # Copyright © 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a "#" symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    #
    127.0.0.1 localhost

    Logfile of HijackThis v1.98.2
    Scan saved at 11:13:11 AM, on 9/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINNT\system32\slserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\LVCOMSX.EXE
    C:\WINNT\System32\wuauclt.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Program Files\hjt\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Thank God They Can't Cut Down The Sky
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\System32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by14fd.bay14.hotmail.msn.com/activex/HMAtchmt.ocx
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run VX2Finder again and click on the Find VX2.Betterinternet button. It will display the entries as before. Select all these files

    C:\WINNT\System32\6io4svc.dll
    C:\WINNT\System32\6mo4svc.dll
    C:\WINNT\System32\6vo4svc.dll


    Click on the Delete these files button.

    Restart the computer
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Popups Quit
  1. medreth
    Replies:
    1
    Views:
    441
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272269

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice