I've got a virus or something that causes two IE windows to pop up every minute or so, and then another one that causes a new tab to open in Firefox and then resizes the window (maybe they're the same one?). I need to kill them. Painfully.
I've used Stinger, Ad-Aware, SpyBot, McAfee VirusScan and SpywareBlaster, all to no avail.
This will get added at the end of each post you make, below an horizontal line. This should preferably be kept to a small enough size.
Is there a particular pop-up that you keep getting? Maybe you can do a google search on that along with pop-ups to find if other people have had the same issue.
HouseCall said that it didn't find any potential threats on my computer (which is the same thing McAfee and SpyBot have been saying, proving that my virus detectors need eyeglasses).
I've also run HijackThis, but I need someone who can translate it from technical jargon that goes WAY over my head into simple English.
This will get added at the end of each post you make, below an horizontal line. This should preferably be kept to a small enough size.
Have you tried Microsoft Antispyware? I actually think it's called Microsoft Defender now, and it's always worked on stuff that both AdAware and Spybot have missed or couldn't get rid of on my computer.
It's usually listed as a top download on the front page of Microsoft.com.
Originally posted by GugsHouseCall said that it didn't find any potential threats on my computer (which is the same thing McAfee and SpyBot have been saying, proving that my virus detectors need eyeglasses).
I've also run HijackThis, but I need someone who can translate it from technical jargon that goes WAY over my head into simple English.
If nothing else works, post the Hyjack This! log here. I'm sure someone can figure it out.
In the real world, WWE believes that no matter what our race, religious creed or ethnic background in America, we all share the common bond of being Americans. American-Arabs are a part of the fabric of America, and they should be embraced by all of us.
Originally posted by GugsHouseCall said that it didn't find any potential threats on my computer (which is the same thing McAfee and SpyBot have been saying, proving that my virus detectors need eyeglasses).
I've also run HijackThis, but I need someone who can translate it from technical jargon that goes WAY over my head into simple English.
If nothing else works, post the Hyjack This! log here. I'm sure someone can figure it out.
Your wish is my (very long) command.
Logfile of HijackThis v1.99.1 Scan saved at 2:28:45 PM, on 3/15/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=userinit.exe N3 - Netscape 7: # Mozilla User Preferences
/* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */
Adware . Adware.Snackman Pacman type game; when installed will retrieve and display pop-up ads from servedby.advertising.com. Also periodically communicates with digink.com with a unique user ID.
All of those process look quite suspcious. They don't turn up things on google, but I think a lot of them are just random names covering up whatever they are. I'd remove the Snackman adware, disable these start up processes, and then rerun your ad/virus check stuff after, because these programs may be hiding things from it.
That weatherbug software includes some tracking stuff. I know a lot of people who love it, but it can cause problems and there are alternatives.
Yeah, I would close the following programs (Hit Ctrl-Alt-Del and end these processes): C:\WINDOWS\system32\20272722292526.exe C:\WINDOWS\CheckS02.exe C:\WINDOWS\system32\spytiqwuy.exe C:\WINDOWS\system32\fqxz9h.exe C:\Program Files\EQArticle\EQArticle.exe (this also causes pop-ups) C:\WINDOWS\sys0303116067-10.exe
Then run any spyware removers you can find. With the program not running, sometimes you have better results detecting it.
Then restart, and repost the HijackThis! log so we can see if these programs went away.
Edit: Missed one.
(edited by Mr. Boffo on 15.3.06 1838) In the real world, WWE believes that no matter what our race, religious creed or ethnic background in America, we all share the common bond of being Americans. American-Arabs are a part of the fabric of America, and they should be embraced by all of us.
Originally posted by Mr. BoffoThen restart, and repost the HijackThis! log so we can see if these programs went away.
Logfile of HijackThis v1.99.1 Scan saved at 8:27:06 PM, on 3/15/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.msn.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=userinit.exe N3 - Netscape 7: # Mozilla User Preferences
/* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */
First, I've discovered that it's best to close all open programs when you try removing this stuff. Including your web browser. So print this out if you can. If not, it's probably all right.
First off, do you take surveys through NPD Online Research? I assumed you did before, but if you don't, then there are some programs to be removed with that as well. It runs as a program called HTI.
Anway, end this process. C:\WINDOWS\system32\fqxz9h.exe
Go into HijackThis!, and remove O4 - HKLM\..\Run: [Configuration Loader] msnexplore.exe Every program called Configuration Loader that I've found has been a Trojan or a Worm. I don't believe this is the real MSN Explorer.
O4 - HKLM\..\Run: [kVdtBOn] "C:\WINDOWS\system32\spytiqwuy.exe" Obvious enough. O4 - HKCU\..\Run: [Microsoft Update] windoc.exe That program is pretending to be Micrsoft Update. It isn't. If it were legitimate it wouldn't have a fake name like that. O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe" This is an ad-ware module called CasClient. O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing) O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing) O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing) Not anything bad, but files are missing which means it might as well be removed. O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab Elitemediagroup.Net is an advertising website. O18 - Filter: text/html - {7B1EE13A-FE1E-48B0-AC2C-8ACC5E3BB7CB} - C:\WINDOWS\system32\fpdrnznx.dll O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\dnp8017ue.dll These might not be anything bad, but they probably are. Plus they just look suspicious to me.
Remove all that, restart, run all the Spyware searchers you've got (I see Windows Defender, SpyBot, and Ad-Aware, at the least), restart, and post the log again.
In the real world, WWE believes that no matter what our race, religious creed or ethnic background in America, we all share the common bond of being Americans. American-Arabs are a part of the fabric of America, and they should be embraced by all of us.
Logfile of HijackThis v1.99.1 Scan saved at 11:27:55 PM, on 3/15/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.msn.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=userinit.exe N3 - Netscape 7: # Mozilla User Preferences
/* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */
Safe mode is your friend when trying to get rid of spyware. If you start in Safe mode you won't get so many processes starting, which means, in theory, they'll be easier to get rid of.
C:\Program Files\AWS\WeatherBug\Weather.exe A couple of sites say this has spyware with it, a couple sy its safe. I'd get rid of it anyway
R3 - Default URLSearchHook is missing Fix that with HJT
F2 - REG:system.ini: UserInit=userinit.exe Suspect. I'd fix it, but can't say for sure it isn't legit.
O9 - Extra button: (no name) Anything like that, fix it with HJT You sure have alot of toolbars and helpers, Google search AND Yahoo search seems especially redundant. Anything that is an Extra Menu , Extra Tools or Extra Button double check to make sure you can figure out what it is.
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\d2j0lc1m1f.dll Fix that with HJT
Kill anything with NPDOR in it, online surveys generally equal bad news IMO. Once you do all that, restart to safe mode again and start HJT again, see what else you can take out. Also try running Adaware or spybot S&D when in safe mode, it helps them sometimes too.
I've had WeatherBug for months, and this problem is only a few days old. I'm hoping that it's not causing this, because I really like it. Here's my latest log file:
Logfile of HijackThis v1.99.1 Scan saved at 8:58:52 AM, on 3/16/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.msn.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost N3 - Netscape 7: # Mozilla User Preferences
/* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */
Yeah, Gugs, I don't see anything else bad. If I were you I might try a different antivirus program though. Some of the stuff was listed as being added by worms or trojans, so it bothers me that yours didn't find anything. I recommend avast!, which is free for home users. At the least, download it, run a full scan (no registration is required for the first 30 days), and see if it finds anything. If it doesn't find anything, then at least you got a second opinion. Also make sure that you don't use the System Restore feature of Windows XP to go back before this point, as that will reinstall those programs and force you to go through this mess all over again.
In the real world, WWE believes that no matter what our race, religious creed or ethnic background in America, we all share the common bond of being Americans. American-Arabs are a part of the fabric of America, and they should be embraced by all of us.
Originally posted by Mr. BoffoAlso make sure that you don't use the System Restore feature of Windows XP to go back before this point, as that will reinstall those programs and force you to go through this mess all over again.
An even better idea would be to deactivate System Restore when you get everything fixed, which will delete previous Restore Points, RE-activate System Restore and make a new Restore Point. That will give you a clean Restore for future use.
"The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents." - Nathaniel Borenstein
Thanks for all of the help so far, guys. I've run Avast! and then all of my regular cleaners (now a four-headed beast of SpyBot, Ad-Aware, McAfee and Windows Defender), and the Firefox pop-ups are still coming. Here's my latest HijackThis! log:
Logfile of HijackThis v1.99.1 Scan saved at 8:51:33 PM, on 3/16/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.msn.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost N3 - Netscape 7: # Mozilla User Preferences
/* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */
Gugs, I am no whiz like some of these boys, but do you get the pops in IE as well as Firefox? I was wondering if we had covered those bases. If not, a clean up of firefox and a reinstall might take less time than all this diagnostic insanity
We'll be back right after order has been restored here in the Omni Center.
Somewhat of a success. Quick google search of "corrupted user profile" leads to "copying to a new profile" And I checked "hidden files and folders". And there they are!! Now to figure out how to make them "unhidden.