hi there. someone just recently told me about your site and it looks very helpful . . . i hope you can help me.

i think it all started with a game that i downloaded and now i get pop ups . . . i mean A LOT of pop ups. they always come on strong when i reboot my computer. i was reading some things on your site and it looks like pepole have similar problems but i cannot seem to get rid of them. my adaware program finds tons of ebates things but they just keep coming back!!

i followed your great instructions and here is my hijackthis log thing:

Logfile of HijackThis v1.99.1
Scan saved at 4:17:13 PM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegrp32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL Instant Messenger.lnk = C:\Program Files\AIM95\aim.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download.../bridge-c18.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

PLEASE HELP ME!!

thank you

stine

Welcome to Geeks to Go, inkyspanky!

I'm working on your log, as soon as another staff member reviews it I'll post a reply. Thank you for your patience.

~Kristy

Hello inkyspanky. Welcome to Geeks to Go! I am Kristy and I will be helping you. It may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please save HijackThis in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegrp32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download.../bridge-c18.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab

Now click fix checked.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

WebSearch Toolbar
mscman
MyWebSearch

Exit Add/Remove Programs.

Be sure you're able to view hidden files, and remove the following files/folders in bold (if found):
C:\WINDOWS\system32\msmc.exe
C:\WINDOWS\Temp\TBuninst.exe /remove
C:\windows\system32\elitegrp32.exe

Empty your recycle bin, and reboot normally.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

~Kristy

HI sorry for the delay on the response i was on vacation for a while and i wanted to wait and see if the popups came back . . . they havent so far! i followed your instructions about two days ago and havent had any problems since then. here is my logfile thing:


Logfile of HijackThis v1.99.1
Scan saved at 10:24:37 AM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegrp32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL Instant Messenger.lnk = C:\Program Files\AIM95\aim.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe


thank you so much for your help!!

-stine

Hello inkyspanky,

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Next please run HijackThis, click Scan, and check:

O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegrp32.exe

Close all open windows except for HijackThis and click Fix Checked.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Be sure you're able to view hidden files, and remove the following files/folders in bold (if found):
C:\WINDOWS\Temp\TBuninst.exe /remove
C:\WINDOWS\Temp\WTuninst.exe /remove
C:\windows\system32\elitegrp32.exe

Empty your recycle bin, and reboot normally.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.
~Kristy

hi

when i went into safe mode i couldnt find any of those things but i did the fix selected thing and here is my logfile

Logfile of HijackThis v1.99.1
Scan saved at 11:14:12 PM, on 6/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL Instant Messenger.lnk = C:\Program Files\AIM95\aim.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe



-stine

Hello inkyspanky,

Your log looks good, how is everything running? Are you having anymore problems?

~Kristy

everything is great:) i havent had any popups or problems in days

thank you for your help

i love your site and i will be sure to come to you guys next time i have any problems!!

-stine

No problem inkyspanky!

**You may now re-hide hidden files**

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

First, you should update AVG to version 7.0. Look here for current updates.

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
• More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

~Kristy

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.