Author Topic: Bad popups (Read 2035 times)

Tsowdsun · « **on:** May 26, 2005, 02:49:30 PM »

I have had no success in getting my computer spyware free. I can't totally remove FlashEnhancer and FlashTracker which is only found when I am running my PC normally and not in safe mode. In safe mode they can't be found.

Here is my HJT log file and would appreciate any and all help in getting this PC cleaned up!

Logfile of HijackThis v1.97.7
Scan saved at 2:39:35 PM, on 5/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\INSIGHT\TOOLS\AICLIENT.EXE
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINNT\etlisrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\Program Files\Network Associates\VirusScan\Mcshield.exe
c:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINNT\System32\vxob\vsqrxp.exe
c:\winnt\software\wcomagent\collectionagent.exe
c:\_integra\bin\ccmagent.exe
C:\Program Files\Funk Software\Proxy Host\PH32SVC.EXE
c:\_integra\bin\shstart.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Funk Software\Proxy Host\PHOST32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\etlitr50.exe
C:\Program Files\SpamPal\spampal.exe
c:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
c:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\bryan.munson\My Documents\Desktop Items\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tertl.mcilink.com/reviewplan.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://tertl.mcilink.com/reviewplan.asp
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vsqrxp] C:\WINNT\System32\vxob\vsqrxp.exe
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "c:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [MSMSGS] "c:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)
O12 - Plugin for .spop: c:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1367EE21-17B1-11D2-82E2-00608C62F5A7} (fmbt_nav.Nav) - http://fmbt.mcilink.com/fmbtscripts/fmbt_nav.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103250210761
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.93.44.113/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\Software\..\Telephony: DomainName = mcilink.com

Cretemonster · « **Reply #1 on:** May 30, 2005, 02:39:42 AM »

Hi Tsowdsun and Welcome!

Open HijackThis and Click the Config button towards the bottom right!

Now Click Misc Tools>>Click Check for Update online and get HijackThis Updated to 1.99.1!

When you post back with the new log...tellme as much about these 2 entries as you can

C:\Program Files\Funk Software\Proxy Host\PHOST32.EXE

O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe

Tsowdsun · « **Reply #2 on:** May 31, 2005, 10:25:04 AM »

Updated to latest rev and I am only familiar with the Entrust that is a security program for my company for VPN login. The funk software, I have never used it or seen it listed in my programs.

Here is the latest logfile and thanks for your help!

Logfile of HijackThis v1.99.1
Scan saved at 10:22:25 AM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\INSIGHT\TOOLS\AICLIENT.EXE
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINNT\etlisrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\Program Files\Network Associates\VirusScan\Mcshield.exe
c:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\WINNT\System32\vxob\vsqrxp.exe
c:\winnt\software\wcomagent\collectionagent.exe
c:\_integra\bin\ccmagent.exe
C:\Program Files\Funk Software\Proxy Host\PH32SVC.EXE
c:\_integra\bin\shstart.exe
C:\Program Files\Funk Software\Proxy Host\PHOST32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessManager\Client\AccessMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\etlitr50.exe
C:\Program Files\SpamPal\spampal.exe
c:\Program Files\Microsoft Office\Office10\WINWORD.EXE
c:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
c:\Program Files\WinZip\WINZIP32.EXE
C:\Documents and Settings\bryan.munson\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tertl.mcilink.com/reviewplan.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://tertl.mcilink.com/reviewplan.asp
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vsqrxp] C:\WINNT\System32\vxob\vsqrxp.exe
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "c:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MSMSGS] "c:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: c:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: {1367EE21-17B1-11D2-82E2-00608C62F5A7} (fmbt_nav.Nav) - http://fmbt.mcilink.com/fmbtscripts/fmbt_nav.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103250210761
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.93.44.113/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dsmain.com
O17 - HKLM\Software\..\Telephony: DomainName = mcilink.com
O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - c:\Program Files\INSIGHT\TOOLS\AICLIENT.EXE
O23 - Service: Access Manager Configuration Service (AMBroker) - Unknown owner - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - WorldCom - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust Technologies Ltd. - C:\WINNT\etlisrv.exe
O23 - Service: fyodtmqpyjwc - Unknown owner - C:\WINNT\System32\qpyjwc\fyodtm.exe (file missing)
O23 - Service: gcryrkrg - Unknown owner - C:\WINNT\System32\rkrg\gcry.exe (file missing)
O23 - Service: hmxmnjiwhk - Unknown owner - C:\WINNT\System32\iwhk\hmxmnj.exe (file missing)
O23 - Service: kjunfosftnrlhr - Unknown owner - C:\WINNT\System32\ftnrlhr\kjunfos.exe (file missing)
O23 - Service: ktlmasfsqxd - Unknown owner - C:\WINNT\System32\asfsqxd\ktlm.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - c:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - c:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: nwnwoppbdfff - Unknown owner - C:\WINNT\System32\pbdfff\nwnwop.exe (file missing)
O23 - Service: ofesfulnjef - Unknown owner - C:\WINNT\System32\fulnjef\ofes.exe (file missing)
O23 - Service: Oracleora817ClientCache - Unknown owner - C:\Program Files\Oracle\ora817\bin\ONRSD.EXE
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\PH32SVC.EXE
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: ucucbfrwhb - Unknown owner - C:\WINNT\System32\bfrwhb\ucuc.exe (file missing)
O23 - Service: vsqrxpvxob - Unknown owner - C:\WINNT\System32\vxob\vsqrxp.exe
O23 - Service: WorldCom License and Statistics Agent (WComAgent) - - c:\winnt\software\wcomagent\collectionagent.exe
O23 - Service: WControl - On Technology Corporation - c:\_integra\bin\ccmagent.exe

Cretemonster · « **Reply #3 on:** June 01, 2005, 06:58:55 AM »

OK...We need to find out what part of the log belongs to worrk and what part belongs to the bugs!!

We have these entries I am unsure about

O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - c:\Program Files\INSIGHT\TOOLS\AICLIENT.EXE

O23 - Service: Access Manager Configuration Service (AMBroker) - Unknown owner - C:\Program Files\AccessManager\Client\AMBroker.exe

O23 - Service: Visual Insight DA Plugin (DAPlugin) - WorldCom - C:\Program Files\AccessManager\Client\DAPlugin.exe

O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\PH32SVC.EXE

O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe

O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe

O23 - Service: WorldCom License and Statistics Agent (WComAgent) - - c:\winnt\software\wcomagent\collectionagent.exe

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net/en/download/updates/

If Ewido hangs up or stops Scanning for any reason while running and will not complete the Scan..Please post back ASAP and Let me know!

AdawareSE 1.06
http://www.bleepingcomputer.com/forums/ind...showtutorial=48

Assure that you have the latest Version with the latest Definition Files and Configured just as described in the link!

Download "The Hoster" from here
http://www.funkytoad.com/download/hoster.zip

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Open Hoster and Press "Restore Original Hosts" and press "OK". Exit Program.

Click Start>>Click Run>>Type in Services.msc and Click OK!

Scroll the services list for any of these entries

fyodtmqpyjwc

gcryrkrg

hmxmnjiwhk

kjunfosftnrlhr

nwnwoppbdfff

ofesfulnjef

ucucbfrwhb

vsqrxpvxob

If you locate and Randomly named Services like the ones listed above

Right Click the Entry and Select Properties

Click Stop and Change the StartUp type to Disabled!

Close out the Services Page

Now Open Both Ewido and Ad Aware...do nothing with them yet...just open them!

Do not Close or Minimize either once opened!

Right Click the Task Bar near the Clock and Select Task Manager and Click Processes

Dont close out the Task Manager!!

Scroll the Processes list for

C:\WINNT\System32\vxob\vsqrxp.exe

If located...Highlight or Right Click and Select End Process!

Scroll the list again and locate

C:\WINNT\explorer.exe

End Process on Explorer.exe

When you do this...the Desktop and Task Bar will disappear...that is Normal and is needed for the Cleaning to be complete!

Now you have Ewido and Ad Aware Open in front of you!

Scan with Ewido...let it clean what ever it finds and Save the log!

Open Ad Aware and let it remove all it finds and make sure to delete the quaratine file!

Close both out once Scan is complete!

Go to the Task Manager and Select Shut Down>>Click Restart>>This time choose to restart in Safe Mode with Networking!

You will have Internet Access but please go to these 2 sites only!

Download RegScrubXP Pro
http://majorgeeks.com/Lexun_RegScrubXP_d2048.html

Download and Open but do not use yet!

Follow the link below for this Online Scan
http://www.kaspersky.com/beta?product=161744315

You will have to be using Internet Explorer for the Scan to work!

Once its downloaded and has Updated its Database...you will be ready to Scan!

Dont Scan just yet!!!

Kill the same 2 processes if present...just as done before!!!

Disconnect from the Internet by unpluging the Internet Connection from the Back of the PC or Modem!

Click to Scan the Entire Computer and let it do its thing!

Delete all it finds and Close out the Scan!

Go to RegScrub

Click RegScrubXP finds Problems

Let it Scan

Click Select All

Click Let RegScrubXP fix!!

Use the Task Manager to Restart the PC...Restart Normal

Scan again with Ewido>>Ad Aware and RegScrubXP!!!

Restart once more and the PC should be almost completely clean!!!

This Beats trying to Chase down the offending files that continue to Reinfect the PC!

Post back with a fresh HijackThis log and lets see how it did!

biggles007 · « **Reply #4 on:** June 01, 2005, 04:22:50 PM »

Try "Shredder" It'll remove a lot of [censored]. it's free

Another good one is " best popup killer "

TheTechGuide Forum

News:

Author Topic: Bad popups (Read 2035 times)

Tsowdsun

Bad popups

Cretemonster

Bad popups

Tsowdsun

Bad popups

Cretemonster

Bad popups

biggles007

Bad popups