PDA

View Full Version : Help with IE popups!!!!


ZepSinger
03-29-2005, 06:54 AM
Guys-
About a week ago, I started getting TONS of IE popups- like 6 a minute. I've run Spybot Search & Destroy, Adaware, Spy Doctor, and Registry Mechanic(all latest updates) numerous times, to no avail. Anyone have a solution????

Z

Saulbadguy
03-29-2005, 06:57 AM
Heh.

http://www.mozilla.org/products/firefox/

:)

htismaqe
03-29-2005, 07:03 AM
Nice suggestion Saul. Too bad it didn't answer his question.

Zep,

Have you run CWShredder yet?

If not, download it from www.intermute.com and run it.

What version of Windows are you running?

ZepSinger
03-29-2005, 09:43 AM
Nice suggestion Saul. Too bad it didn't answer his question.

Zep,

Have you run CWShredder yet?

If not, download it from www.intermute.com and run it.

What version of Windows are you running?

XP.

ZepSinger
03-29-2005, 09:51 AM
Heh.

http://www.mozilla.org/products/firefox/

:)

Saul-
I've had Firefox for a year now, but got lazy and had started using IE again. MORON. :banghead:

The one piece of malware that keeps coming back(and I'm assuming could be my culprit), is something called Elite.Bar. So far, no luck dumping it.. :deevee:

Lzen
03-29-2005, 10:12 AM
Heh.

http://www.mozilla.org/products/firefox/

:)


:thumb: I was gonna do that. You beat me to it.

Lzen
03-29-2005, 10:13 AM
Oh and btw, www.cjonline.com has a popup that Firefox doesn't block. Can anyone explain that?

Saulbadguy
03-29-2005, 11:12 AM
:thumb: I was gonna do that. You beat me to it.
It was just a jab at Parker. :)

htismaqe
03-29-2005, 12:19 PM
It was just a jab at Parker. :)

Fugger!

Zep,

Run CWShredder.

ZepSinger
03-29-2005, 02:58 PM
Fugger!

Zep,

Run CWShredder.

I did. No luck.

Have done some research, sounds like it's Elite Toolbar. Seems it re-installs itself on the next bootup, looking for something that kills it permanently...

dirk digler
03-29-2005, 04:00 PM
It might just be easy to print this webpage but this should solve your problem...hopefully

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453090724

Detection and Removal

Manual Removal

Follow these steps to remove Elite toolbar from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

Stop Running Processes:
Kill these running processes with Task Manager:

profilepath+\local settings\temp\suicidetb.exe
protas.exe
systemroot+\system32\elitekck32.exe
systemroot+\system32\elitexdx32.exe
ventura1.exe



Remove Autorun Reference:

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\antiware, delete it and reboot the machine immediately.



Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:

systemroot+\elitesidebar\elitesidebar 08.dll
systemroot+\elitetoolbar\elitetoolbar version 59.dll


Clean Registry:

Remove these registry items (if present) with RegEdit:

HKEY_CLASSES_ROOT\clsid\{0a1d22c3-37be-470c-9c29-e3074ee0574b}
HKEY_CLASSES_ROOT\clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}
HKEY_CLASSES_ROOT\clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}
HKEY_CLASSES_ROOT\clsid\{be8d0059-d24d-4919-b76f-99f4a2203647}
HKEY_CLASSES_ROOT\clsid\{ed103d9f-3070-4580-ab1e-e5c179c1ae41}
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser\{825cf5bd-8862-4430-b771-0c15c5ca8def}
HKEY_LOCAL_MACHINE\software\elitum
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{825cf5bd-8862-4430-b771-0c15c5ca8def}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{28caeff3-0f18-4036-b504-51d73bd81abc}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{ed103d9f-3070-4580-ab1e-e5c179c1ae41}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\antiware
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar
HKEY_LOCAL_MACHINE\software\ohbbackup


Remove Files:

Remove these files (if present) with Windows Explorer:

profilepath+\local settings\temp\suicidetb.exe
protas.exe
systemroot+\elitesidebar\elitesidebar 08.dll
systemroot+\elitetoolbar\elitetoolbar version 59.dll
systemroot+\system32\elitekck32.exe
systemroot+\system32\elitexdx32.exe
ventura1.exe



Remove Directories:

Remove these directories (if present) with Windows Explorer:

systemroot+\elitesidebar
systemroot+\elitetoolbar

htismaqe
03-29-2005, 05:52 PM
I did. No luck.

Have done some research, sounds like it's Elite Toolbar. Seems it re-installs itself on the next bootup, looking for something that kills it permanently...

You're probably reduced to running HiJackThis.

Download it, run it, and paste the output here.

4th and Long
03-29-2005, 06:10 PM
This site will test your browser for parasites and tell you how to get rid of them (usually).

http://www.doxdesk.com/parasite/

It's worth a shot.

ZepSinger
03-29-2005, 09:07 PM
You're probably reduced to running HiJackThis.

Download it, run it, and paste the output here.

Here's the output from HijackThis:
------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:06:27 PM, on 3/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\mztaaofr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\becjl0qd\becjl0qd.exe
C:\WINDOWS\System32\vrrrli.exe
C:\WINDOWS\sys022283189212.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\becjl0qd\21376124.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
E:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ron\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [AnyDVD] E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [uhcafbguutqnjdye] C:\WINDOWS\mztaaofr.exe
O4 - HKLM\..\Run: [becjl0qd] C:\Program Files\becjl0qd\becjl0qd.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vrrrli.exe
O4 - HKLM\..\Run: [sys022283189212] C:\WINDOWS\sys022283189212.exe
O4 - HKLM\..\Run: [tFnV3me] urlwseui.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesiy32.exe
O4 - HKCU\..\Run: [co49RgK6S] umpmdll.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: OpenOffice.org 1.1.4.lnk = E:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: nddd.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/Bridge-c112.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106662975156
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Darkwolfe
03-29-2005, 09:33 PM
O4 - HKLM\..\Run: [uhcafbguutqnjdye] C:\WINDOWS\mztaaofr.exe

Better run a virus scan while you're at it. That file looks very suspicious given its location and somewhat random seeming name.

If you've got Norton or McAfee, I'm sorry, get a real Anti-virus here for free: www.avast.com

Make sure your spybot is version 1.3 and its fully updated. (It was updated last weekend, current total is 22980) Spyware Doctor is of dubious nature and if you paid for it, ya got ripped... See this:

From security.kolla.de
If you search for the keyword Spybot on Altavista or some other search engines, you'll got a bunch of sponsored results. One of them is Spyware Doctor, who seem to be agressively using our name Spybot to advertise their software. We receive a bunch of emails every week from people complaining to us and asking for a refund. After some mails we usually find out that those people believed they had bought Spybot-S&D, but actually got Spyware Doctor.

PC Tools' attorney Darren Sommers sees nothing bad in cheating people that way. We did contact Element 5, the company they use for their payments (and which btw is used by Lavasoft as well) for any help we could give to those people who were cheated and contacted by us. Ms. Schulte-Hoberg from Element 5 reacted by rejecting any help to people who where cheated by PC Tools. Element 5 did even block all our email addresses to avoid any more about this.

As there is nothing we can do to help, and Element 5 rejects any cooperation in getting the cheated people refunds, we can only recommend to write letters of complaint to Element 5, and, if you were cheated yourself, contact us at legal@spybot.info so that we can confront them with a huge bunch of cases.

----------
Complain loud and long.

ZepSinger
03-29-2005, 09:59 PM
Nah, I didn't purchase Spyware doctor- just a free download.
I have Avast on my other PC, guess I'll put it on this one as well..

O4 - HKLM\..\Run: [uhcafbguutqnjdye] C:\WINDOWS\mztaaofr.exe

Better run a virus scan while you're at it. That file looks very suspicious given its location and somewhat random seeming name.

If you've got Norton or McAfee, I'm sorry, get a real Anti-virus here for free: www.avast.com

Make sure your spybot is version 1.3 and its fully updated. (It was updated last weekend, current total is 22980) Spyware Doctor is of dubious nature and if you paid for it, ya got ripped... See this:

From security.kolla.de
If you search for the keyword Spybot on Altavista or some other search engines, you'll got a bunch of sponsored results. One of them is Spyware Doctor, who seem to be agressively using our name Spybot to advertise their software. We receive a bunch of emails every week from people complaining to us and asking for a refund. After some mails we usually find out that those people believed they had bought Spybot-S&D, but actually got Spyware Doctor.

PC Tools' attorney Darren Sommers sees nothing bad in cheating people that way. We did contact Element 5, the company they use for their payments (and which btw is used by Lavasoft as well) for any help we could give to those people who were cheated and contacted by us. Ms. Schulte-Hoberg from Element 5 reacted by rejecting any help to people who where cheated by PC Tools. Element 5 did even block all our email addresses to avoid any more about this.

As there is nothing we can do to help, and Element 5 rejects any cooperation in getting the cheated people refunds, we can only recommend to write letters of complaint to Element 5, and, if you were cheated yourself, contact us at legal@spybot.info so that we can confront them with a huge bunch of cases.

----------
Complain loud and long.

wutamess
03-29-2005, 10:12 PM
Items with (*) need to be checked in the hijack this scan.
If it looks familiar and you don't want to remove it remove it anyways the stuff is running when you start op your computer and causing your bootup /startup time to be really long.

You're not deleting the familiar stuff just stopping it from running at startup.

let me know if you have additional ?'s.

Here's the output from HijackThis:
------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:06:27 PM, on 3/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
* C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
* C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
* C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
* C:\WINDOWS\System32\RUNDLL32.exe
* C:\WINDOWS\mztaaofr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
* C:\Program Files\becjl0qd\becjl0qd.exe
* C:\WINDOWS\System32\vrrrli.exe
* C:\WINDOWS\sys022283189212.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
* C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\becjl0qd\21376124.exe
*? unless this is one of your spyware progs. C:\Program Files\interMute\SpySubtract\SpySub.exe
E:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ron\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
* O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
* O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
* O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
* O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
* O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
* O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
* O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
* O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
* O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
* O4 - HKLM\..\Run: [AnyDVD] E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
* O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
* O4 - HKLM\..\Run: [uhcafbguutqnjdye] C:\WINDOWS\mztaaofr.exe
* O4 - HKLM\..\Run: [becjl0qd] C:\Program Files\becjl0qd\becjl0qd.exe
* O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vrrrli.exe
* O4 - HKLM\..\Run: [sys022283189212] C:\WINDOWS\sys022283189212.exe
* O4 - HKLM\..\Run: [tFnV3me] urlwseui.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
* O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
* O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesiy32.exe
* O4 - HKCU\..\Run: [co49RgK6S] umpmdll.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: OpenOffice.org 1.1.4.lnk = E:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
* O4 - Global Startup: nddd.exe
* O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
* O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
* O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
* O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
* O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/Bridge-c112.cab
* O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106662975156
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

wutamess
03-29-2005, 10:16 PM
After you remove those items... I'd go to add remove progams and remove all of the stuff you don't use even the spyware blocking programs. A lot of those programs seem to actually have their own spyware or advertisements in them. So a lot of spyware is probably in there. When you remove those unnecessary programs you should notice increased PC performance.

Then I'd go to webroot.com and download and run spysweeper It'd probably run for 30+ mins and fix a lot of errors.

Then I'd suggest running Firefox or upgrading your XP system to XP2.

I have McAfee but I'm sure firefox is what really blocks the stuff. I only use IE when I have to (for certain sites).

htismaqe
03-30-2005, 08:17 AM
I would amend wutamess' list as follows:

* C:\WINDOWS\System32\CTHELPER.EXE
-- DO NOT delete this, it is a helper service for Creative Sound Cards

* C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
-- this definitely looks like malware

* C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
-- this too looks like malware

* C:\WINDOWS\System32\RUNDLL32.exe
-- this is actually a legit Windows app. It is used to load DLL's into memory. Unfortunately, it doesn't identify the DLL it's associated with, so to be safe, you should probably delete it...just be aware that a legit app might stop functioning because of it

* C:\WINDOWS\mztaaofr.exe
-- definitely looks like malware

* C:\Program Files\becjl0qd\becjl0qd.exe
* C:\WINDOWS\System32\vrrrli.exe
* C:\WINDOWS\sys022283189212.exe
-- all of these look like malware

* C:\WINDOWS\SysCheckBop32.exe
-- this is known spyware

C:\Program Files\becjl0qd\21376124.exe
-- he missed this one...the random-looking name looks like malware

*? unless this is one of your spyware progs. C:\Program Files\interMute\SpySubtract\SpySub.exe
-- yep, this is SpySubtract anti-spyware, no need to delete

* O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
* O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
-- these two appear to be related to Spyware Doctor, therefore not likely to be harmful

* O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
-- again, DO NOT delete...it may screw up your sound card

* O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
-- get rid of this

* O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
-- get rid of this

* O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
-- there's no danger in leaving this

* O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
-- if you remove this, RealPlayer will no longer be able to auto-update

* O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
-- if you remove this, Quicktime Player may not function properly

* O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
-- if you remove this, Java J2RE will no longer auto-update

* O4 - HKLM\..\Run: [AnyDVD] E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
-- DO NOT remove this, it will ruin some functionality of SlySoft AnyDVD

* O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
-- this looks malicious

* O4 - HKLM\..\Run: [uhcafbguutqnjdye] C:\WINDOWS\mztaaofr.exe
* O4 - HKLM\..\Run: [becjl0qd] C:\Program Files\becjl0qd\becjl0qd.exe
* O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vrrrli.exe
* O4 - HKLM\..\Run: [sys022283189212]C:\WINDOWS\sys022283189212.exe
* O4 - HKLM\..\Run: [tFnV3me] urlwseui.exe
-- all of these look bad and should be removed

* O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
-- known spyware...remove

* O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesiy32.exe
-- i don't know what this is, but it looks suspicious

* O4 - HKCU\..\Run: [co49RgK6S] umpmdll.exe
-- i don't know what this is, but it definitely looks malicious

* O4 - Global Startup: nddd.exe
-- this looks like malware

* O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
-- if you delete this, SpySubtract may not function properly

* O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
* O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
-- no need to delete these, part of Java J2RE

* O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
-- Spyware Doctor, again no need to remove

* O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
-- this looks like spyware to me

* O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
-- I've never heard of truedoc, if this is an app you have installed to port OpenOffice docs to PDF or Word, keep this

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...Bridge-c112.cab
-- he didn't mark this one, but it looks suspicious to me

* O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1106662975156
-- DO NOT delete this, this is the applet for Windows Update

Frosty
03-30-2005, 09:18 AM
I used to deal with this all of the time at the school I used to support. The little bastards couldn't wait to download every form of spyware and virus laden crap they could find. :cuss:

I found that it was best to do all of your malware removal from safe mode. Otherwise, you have to be very quick to shut 'em down in Task Manager because a lot of them have helper apps running that will restart each other if you shut one down.

You also have to make sure that you remove all the malware browser helper objects (BHO) with HighjackThis or Toolbar Cop or something like it, before you restart IE, because the malware BHOs will frequently reinstall the original stuff back on to your computer.

Finally, here is a link (http://www.spywarewarrior.com/rogue_anti-spyware.htm#products) that lists all of the programs that claim to be spyware removers but have problems of their own (like installing crap of their own on your computer or having false positives to get you to upgrade to a paid version). There are quite a few links to good products too.

ROYC75
03-30-2005, 09:35 AM
Say what you must, but I run Yahoo toolbar with pop up blocker / anti spy ( free ) and very seldom ever see a pop up. I do mean very seldom, maybe 2 per month if that much.

Frosty
03-30-2005, 09:48 AM
The Google one works well, too.

I've never been a big fan of tool bars (I always removed the Yahoo one at the school :) ). Get a few of them up there and I feel like I'm surfing the net through a periscope.

One thing I like about Firefox is that I can put everything on one line. The menus, nav buttons, address window and google window on one line. If I have multiple tabs open, that's a second line. That's it - nice and clean.

htismaqe
03-30-2005, 12:06 PM
I use IE with XP SP2. I don't get popups at all.

ZepSinger
03-30-2005, 03:15 PM
I use IE with XP SP2. I don't get popups at all.

I seem to have finally lost the popups- ran Avast! and found a Trojan Horse, deleted it and I'm good to go...

Z

htismaqe
03-31-2005, 07:24 AM
I seem to have finally lost the popups- ran Avast! and found a Trojan Horse, deleted it and I'm good to go...

Z

Run HiJackThis again. I want to see how it looks now.

recycle
04-01-2005, 02:30 AM
This is what happens when you don't use Internet Explorer.