Techware Labs Header

Forums have moved

See this announcement for more details, or just go directly there.

  #1  
Old 07-07-2004, 05:27 AM
shortboypinoy
 
Posts: n/a
Default Help w/ Revomal of adware

I am aware that there are a million other topic asking this question but It'd be easier to make a whole new thread

Recently, my computer has been recieving a gripload of popups; mainly the popups with the "yyy[#]" extension. I started getting this I installed the IE6 SP1 package in order to fix my Javascript. Java is now working, but with the cost of a gripload of popups coming up. I have ran Spysweeper, Adaware, Norton Antivirus, CWShredder, etc. and all have been unsuccessful. Also, I read that the system resources should be around 80%. My computer is usually at 50-70%. I'm constantly checking it in see what the % is and I see that it graduallty goes down, causing the computer to end up losing it's system resources, forcing me to reset. I have also done the vx2finder[9x] whole deal and tried to make log but it doesn't seem to work. But this is what came up

"User Agent String---
{5B0F0DC0-1DBC-11D8-9958-002078043057} "

I also ran Hijackthis and this is what I got.

Logfile of HijackThis v1.97.7
Scan saved at 3:07:53 AM, on 7/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OFFICE51\SOINTGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NETPUMPER\NETPUMPERIEPROXY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETPUMPER\NETPUMPER.EXE
C:\WINDOWS\SYSTEM\FLCSS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MYIE2\MYIE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R3 - URLSearchHook: (no name) - _{D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Peak hole five - {278EDF35-EB5D-9D1F-BFB9-21971622DACF} - C:\PROGRAM FILES\HOLD ITCH\TONS THAT.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [DATCHECK] C:\WINDOWS\SYSTEM\DATCHECK.EXE
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [DBHSPTD] C:\WINDOWS\DBHSPTD.exe
O4 - HKLM\..\Run: [vesrion] C:\WINDOWS\SYSTEM\HELLO-BUNDLEWARE.exe
O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe
O4 - HKLM\..\Run: [ynirad] C:\WINDOWS\ynirad.exe
O4 - HKLM\..\Run: [Option glue] C:\PROGRA~1\blah bike\Joytest.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: 3721CMail (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.teen-me.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Help would be greatly appreciated. Thank you
Reply With Quote
  #2  
Old 07-07-2004, 03:28 PM
vee_ess's Avatar
vee_ess vee_ess is offline
Super Moderator
 
Join Date: Aug 2001
Location: Phoenix, Arizona
Posts: 2,781
Send a message via ICQ to vee_ess Send a message via AIM to vee_ess Send a message via MSN to vee_ess Send a message via Yahoo to vee_ess
Default

Get rid of:
R3 - URLSearchHook: (no name) - _{D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Peak hole five - {278EDF35-EB5D-9D1F-BFB9-21971622DACF} - C:\PROGRAM FILES\HOLD ITCH\TONS THAT.DLL (file missing)

The rest should be fine, but, which ever of the following you are not familiar with, I'd also get rid of:
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [DBHSPTD] C:\WINDOWS\DBHSPTD.exe
O4 - HKLM\..\Run: [vesrion] C:\WINDOWS\SYSTEM\HELLO-BUNDLEWARE.exe
O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe
O4 - HKLM\..\Run: [ynirad] C:\WINDOWS\ynirad.exe

I'd suggest trying another browser such as Firefox because they are usually more immune to these problems. Firefox is also extremely fast.
Reply With Quote
  #3  
Old 07-07-2004, 03:52 PM
shortboypinoy
 
Posts: n/a
Default

Hmmmm.....I'm not sure how effective deleting those files will be, but thank you for helping out. I'll try to post back if anything happens.

How good is this FireFox? I'm currently using MYIE2, which acts like IE but w/ tabs and a popup blocker. Oh and along and MYIE2 doesn't block IE windows, I use CheckIt-86 and the popup's have gotten around those......sucks doesn't it HAHA/ But I will have to wait to see if something popups or not.
Reply With Quote
  #4  
Old 07-07-2004, 07:44 PM
Jason425 Jason425 is offline
Lab Master Techie
 
Join Date: Sep 2002
Location: The Matrix
Posts: 7,353
Send a message via AIM to Jason425 Send a message via Yahoo to Jason425
Default

stupid solution (because i'm tired of dealing with noobs that have too much junk on their comps (not just here..) Put the HD in the microwave for 30 seconds and then throw it in the garbage.. buy a new one.. all done.. then stop going to bad sites and maintain your comp...
__________________
Dell Inspiron 1420 in Midnight Blue - Intel Core2Duo T7300 2.0GHZ/4MB - 2GB Ram - Nvidia 8400 GS 128mb - DVD/RW - 160GB 7200RPM - 14.1" Antiglare - Intel 4965AGN - Bluetooth 2.0 - 2MP Webcam - Vista Home Premium
2005 Mazda3i in Strato Blue
http://www.jasondsmith.net

Reply With Quote
  #5  
Old 07-07-2004, 10:13 PM
shortboypinoy
 
Posts: n/a
Default

HAHAHAH, I'm not really the one to blame for the mess-ups. It's all my sisters doing. I always tell her not to go to these certain sites but she too stupid enough to understand that she goes anyway, thus messing up the computer. I have two computers and I'm forced to try to maintain both of them. The computer I'm using right now is the popup computer; used to be great cause it bests the other computer. My sister used it and now it sucks. I started using the other computer and got that one working good and hoping that it stay good but I'm worried my sister will mess that one up as well.

And unfortunately, the popup's still keep coming.
Reply With Quote
  #6  
Old 07-07-2004, 10:52 PM
Jason425 Jason425 is offline
Lab Master Techie
 
Join Date: Sep 2002
Location: The Matrix
Posts: 7,353
Send a message via AIM to Jason425 Send a message via Yahoo to Jason425
Default

i know how that is.. my brother is a total noob and I just let him run that other comp until it's ununsable and then I make him pay me to fix it
__________________
Dell Inspiron 1420 in Midnight Blue - Intel Core2Duo T7300 2.0GHZ/4MB - 2GB Ram - Nvidia 8400 GS 128mb - DVD/RW - 160GB 7200RPM - 14.1" Antiglare - Intel 4965AGN - Bluetooth 2.0 - 2MP Webcam - Vista Home Premium
2005 Mazda3i in Strato Blue
http://www.jasondsmith.net

Reply With Quote
  #7  
Old 07-08-2004, 03:50 AM
vee_ess's Avatar
vee_ess vee_ess is offline
Super Moderator
 
Join Date: Aug 2001
Location: Phoenix, Arizona
Posts: 2,781
Send a message via ICQ to vee_ess Send a message via AIM to vee_ess Send a message via MSN to vee_ess Send a message via Yahoo to vee_ess
Default

Firefox is pretty good. It's easily the fastest browser I've used (out of IE, Netscape, Mozilla [I know its the same company, Firefox is still faster though], and Opera). It seems to be immune to the spyware/adware that's currently on my system til tomorrow's or day's after format. It's got the tabs which, as you know, are very handy.

About deleting those files, it's usually randomly named files like ynirad or DBHSPTD that put back files that ad-aware and spybot and the like destroy. They load dll's that you can't shutdown in the same session which ensure that the spyware/adware stays.
Reply With Quote
  #8  
Old 07-08-2004, 03:22 PM
shortboypinoy
 
Posts: n/a
Default

Hahah, thanks for all the help, but I actually found one of the other threads on this forum explaining how to remove the "yyy" stuff. Unfortunately, I don't have to run those virus detectors anymore YAY!
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 10:43 AM. Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Forum style by ForumMonkeys.