Adware Virus Spyware?! PLEASE HELP

kingdante87 · 09-09-2004, 09:27 PM

The other day my computer just started spazing out. It has been downloading programs to my desktop and every few minutes Internet Explorer pops up taking me to a strange site I've never seen before. It takes me to http://ads1.revenue.net/r?site_id=12...d=1&r_num=2154 or www.adv1.eblocs.com. I can't stop it from doing this and I've tried everything. I have adaware 6.18 and it isint detecting any adware on my computer. No new programs pop up in the ctrl+alt+del menu except the new programs that are being downloaded. Does anyone have any Ideas as to what I can do? Please help this is so anoying and potentially destructive to my computer. E-mail me at kingdante87@yahoo.com if you have ANY news.

**Praetor** · 09-10-2004, 01:39 PM

Spybot
http://security.kolla.de/

You might have a trojan.. a virusscan should deal with most of the nuisance ones. Do you have a firewall?

kingdante87 · 09-10-2004, 08:28 PM

I have antivir9x and it detected a few viruses but deleting them didnt stop the problem. I've put the sites on my IE block list so they dont load the page when they pop up but they still pop up. I thought changing the name of the Iexplorer.exe file would help but no. I don't have a firewall so I guess it's kinda my fault I have this thing whatever it is, but I'd still like help. If anyone knows anything else. Please help me. Thank you.

Lorand · 09-10-2004, 08:51 PM

Try HijackThis: http://www.spychecker.com/download/d...ijackthis.html
And for a firewall you can grab the free version of ZoneAlarm: http://www.zonelabs.com/store/content/home.jsp

virz · 09-11-2004, 08:35 AM

Try
Ad-aware http://www.lavasoftusa.com/software/adaware/

Lorand · 09-11-2004, 08:58 AM

Quote:

Originally Posted by kingdante87

I have adaware 6.18 and it isint detecting any adware on my computer.

It seems that he already tried Ad-aware...

**Praetor** · 09-11-2004, 01:05 PM

- But he made no mention of Spybot yet

- Hijack would definitely be a good route to take

kingdante87 · 09-11-2004, 06:32 PM

Ok I downloaded hijack this and have no clue what to fix and what not. Here is the log file it made for me:
Logfile of HijackThis v1.97.7
Scan saved at 1:30:20 PM, on 9/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\MSUPDATEQ49500X86.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\PROGRAMS\BACK UP FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\search.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 66.250.171.167 sitefinder.verisign.com
O1 - Hosts: 66.250.171.167 sitefinder-idn.verisign.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [atiupdate] C:\MSUPDATEQ49500X86.EXE
O4 - Startup: Findfast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

Does anyone know if any of these are bad and should be deleted?
Thanks ... again.

Lorand · 09-11-2004, 06:48 PM

The C:\MSUPDATEQ49500X86.EXE is very dubious. If you can't remove it, try this tip: http://www.kephyr.com/spywarescanner...te/index.phtml

kingdante87 · 09-11-2004, 07:52 PM

I deleted C:\MSUPDATEQ49500X86.EXE but the problem still hasn't been solved. Hum maybe I didn't delete it because I just opened my ctrl alt del and found it running. I've never cought it running before. Guess I'm gonna have to try killing it again.

09-09-2004, 09:27 PM	#1 (permalink)
kingdante87 New Member Join Date: Sep 2004 Posts: 22	Adware Virus Spyware?! PLEASE HELP The other day my computer just started spazing out. It has been downloading programs to my desktop and every few minutes Internet Explorer pops up taking me to a strange site I've never seen before. It takes me to http://ads1.revenue.net/r?site_id=12...d=1&r_num=2154 or www.adv1.eblocs.com. I can't stop it from doing this and I've tried everything. I have adaware 6.18 and it isint detecting any adware on my computer. No new programs pop up in the ctrl+alt+del menu except the new programs that are being downloaded. Does anyone have any Ideas as to what I can do? Please help this is so anoying and potentially destructive to my computer. E-mail me at kingdante87@yahoo.com if you have ANY news.

09-10-2004, 01:39 PM	#2 (permalink)
Praetor Administrator Join Date: Jul 2004 Location: Canada Age: 25 Posts: 19,951	Spybot http://security.kolla.de/ You might have a trojan.. a virusscan should deal with most of the nuisance ones. Do you have a firewall? __________________ ASUS P5K Premium WiFi-AP, Q6600@3.7 / ASUS P5ND, E6400@3.8 4GB OCz Platinum XTC 8500 / 4GB CorsairXMS2 6400 5x500GB Seagate 7200.10 / 2x500 Seagate 7200.10 OCz 8800GTX 768MB @ 630/800 / 2x Galaxy 8800GT SLI

09-11-2004, 08:35 AM	#5 (permalink)
virz New Member Join Date: Jul 2004 Posts: 9	Try Ad-aware http://www.lavasoftusa.com/software/adaware/ __________________ VirZ Ringtones, fun games, forums and many more.

09-11-2004, 01:05 PM	#7 (permalink)
Praetor Administrator Join Date: Jul 2004 Location: Canada Age: 25 Posts: 19,951	- But he made no mention of Spybot yet - Hijack would definitely be a good route to take __________________ ASUS P5K Premium WiFi-AP, Q6600@3.7 / ASUS P5ND, E6400@3.8 4GB OCz Platinum XTC 8500 / 4GB CorsairXMS2 6400 5x500GB Seagate 7200.10 / 2x500 Seagate 7200.10 OCz 8800GTX 768MB @ 630/800 / 2x Galaxy 8800GT SLI

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

09-10-2004, 08:28 PM	#3 (permalink)
kingdante87 New Member Join Date: Sep 2004 Posts: 22	I have antivir9x and it detected a few viruses but deleting them didnt stop the problem. I've put the sites on my IE block list so they dont load the page when they pop up but they still pop up. I thought changing the name of the Iexplorer.exe file would help but no. I don't have a firewall so I guess it's kinda my fault I have this thing whatever it is, but I'd still like help. If anyone knows anything else. Please help me. Thank you.

09-10-2004, 08:51 PM	#4 (permalink)
Lorand VIP Member Join Date: Dec 2003 Location: Bucharest Age: 41 Posts: 3,042	Try HijackThis: http://www.spychecker.com/download/d...ijackthis.html And for a firewall you can grab the free version of ZoneAlarm: http://www.zonelabs.com/store/content/home.jsp

09-11-2004, 06:32 PM	#8 (permalink)
kingdante87 New Member Join Date: Sep 2004 Posts: 22	Ok I downloaded hijack this and have no clue what to fix and what not. Here is the log file it made for me: Logfile of HijackThis v1.97.7 Scan saved at 1:30:20 PM, on 9/11/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\ptsnoop.exe C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\MSUPDATEQ49500X86.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE D:\PROGRAMS\BACK UP FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\search.htm R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O1 - Hosts: 66.250.171.167 sitefinder.verisign.com O1 - Hosts: 66.250.171.167 sitefinder-idn.verisign.com O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKCU\..\Run: [atiupdate] C:\MSUPDATEQ49500X86.EXE O4 - Startup: Findfast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219 O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220 O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: AIM (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab Does anyone know if any of these are bad and should be deleted? Thanks ... again.

09-11-2004, 06:48 PM	#9 (permalink)
Lorand VIP Member Join Date: Dec 2003 Location: Bucharest Age: 41 Posts: 3,042	The C:\MSUPDATEQ49500X86.EXE is very dubious. If you can't remove it, try this tip: http://www.kephyr.com/spywarescanner...te/index.phtml

09-11-2004, 07:52 PM	#10 (permalink)
kingdante87 New Member Join Date: Sep 2004 Posts: 22	I deleted C:\MSUPDATEQ49500X86.EXE but the problem still hasn't been solved. Hum maybe I didn't delete it because I just opened my ctrl alt del and found it running. I've never cought it running before. Guess I'm gonna have to try killing it again.