MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 08-02-04, 14:58
yoopermjm yoopermjm is offline
Private E-2
 
Join Date: Aug 2004
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Cannot rid myself of 680180.net adware

Hello, I am new here. I have been trying for several days to rid myself of this adware which pops up new windows in explorer about every minute or two.
I am running windows xp with broadband. I have blackice firewall installed and ez-antivirus. All are up to date, including all programs mentioned below.

When I first got this menace I was away from the computer for lunch and when I came back my browser was inundated with these recurring pop-ups and my computer slowed to a crawl. Several programs were installed and more asked to be. I first ran ad aware and spybot. I then uninstalled every program that was installed through control panel, there were four or five of them, whose names I have long since forgotten. I then ran RegClean and rebooted, running ad-aware on start-up. I tried to delete the problem through a run regedit solution from another site called "spyany.com. No help.

After seeing the post by Major Attitude, I did everything he asked, including updating windows, disabling system restore, checking for Network Security Service (negative), enabling hidden files (already done), and booting into safe mode.

In safe mode I:
ran a full virus scan with ez antivirus
cleaned the hard drive with ccleaner
scanned with ad aware, including the vx2 plug-in
scanned with spybot search and destroy
ran cwshredder
ran kill2me
ran about:Buster

I then rebooted and I still have the problem. After searching this site for solutions and not finding any that help me, I downloaded hijack this, but I am not running it as you state not to do so until instructed to. I await further instructions. ANY help you can give me will be greatly appreciated. Thank you-- yoopermjm
Reply With Quote
Sponsored links
  #2  
Old 08-02-04, 15:49
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,681 Times in 4,144 Posts
Default Re: Cannot rid myself of 680180.net adware

Even if you have already done some of this, do the same as I asked in this thread: http://forums.majorgeeks.com/showthread.php?t=38681

As I indicated there, if that does not fix it. Post a HijackThis attachment.
Reply With Quote
  #3  
Old 08-02-04, 19:32
yoopermjm yoopermjm is offline
Private E-2
 
Join Date: Aug 2004
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Cannot rid myself of 680180.net adware

Okay.

I did everything again as per your instructions-- still no relief.

Attached is the hijack.txt file.

Thanks for taking the time. I've never seen anything quite like this.

Mike
Attached Files
File Type: txt hijackthis.txt (4.8 KB, 3 views)
Reply With Quote
  #4  
Old 08-03-04, 09:05
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,681 Times in 4,144 Posts
Default Re: Cannot rid myself of 680180.net adware

First we need to disable system restore to prevent this from reappearing after fixing. Read this to disable/enable system restore.

Enable viewing of hidden files and folders for Win Explorer. While you have that open make sure the item to Hide extensions for know file types is NOT checked.

Bring up Task Manager by hitting CTRL-ALT-DEL and select the Processes tab. Look for the tyavul.exe process and end it.

Now click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\gujfh.dll
then click OK. If a dialog box confirming this action appears, click OK.

Now run HijackThis and put check marks on the following items but DO NOT click Fix until you have first exiting all Internet Explorer sessions including the one you are reading from right now:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: SDWin32 Class - {8AB46D8A-693A-4E19-A406-D9BCA953DE10} - C:\WINDOWS\System32\gujfh.dll
O4 - HKLM\..\Run: [bafdvowqj] C:\WINDOWS\System32\tyavul.exe
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://smbusiness.dellnet.com/ (file missing) (HKCU)
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.org/fvlite/fvliteY.cab

Okay! After fixing the above lines with HijackThis. Reboot into safe mode and then delete the following files using Windows Explorer:
C:\WINDOWS\System32\gujfh.dll
C:\WINDOWS\System32\tyavul.exe

Reboot in normal mode and let me know how things are working. If everything is good, we will enable system restore.
Reply With Quote
  #5  
Old 08-03-04, 11:09
yoopermjm yoopermjm is offline
Private E-2
 
Join Date: Aug 2004
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Cannot rid myself of 680180.net adware

Wow. That is amazing. That seems to do it, as I can tell within one or two minutes when the pop-ups start. Nothing now for twenty. A couple of questions before restarting system restore:

I never found the line "O2 - BHO: SDWin32 Class - {8AB46D8A-693A-4E19-A406-D9BCA953DE10} - C:\WINDOWS\System32\gujfh.dll" and so could not delete it.

In my earlier efforts to solve this problem, I ran msconfig and turned off all the start programs save a precious few (sorry I didn't tell you that earlier, I did so many things to try to heal this that I forgot that one). Now if I run msconfig again, there are a bunch of start-ups listed that I don't know what they are, and one I do, which has the "tyavul.exe" program in it. Obviously, I won't re-check it, but is there a way to delete it from even being a possibility in my start up menu?

To prevent this from happening again, I will keep current and run regularly adaware and spybot. I also installed and enabled Spywareblaster. As I stated earlier, I already have ez-antivirus up and running and current, as well as blackice firewall. Is there any other precaution I can take to protect myself from this ordeal in the future?

You have healed my computer and helped me immensely and I am very grateful. Do you take donations from those you help or is there a place I can contribute to further your efforts to protect us from these scourges?
Reply With Quote
Sponsored links
  #6  
Old 08-03-04, 14:43
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,681 Times in 4,144 Posts
Default Re: Cannot rid myself of 680180.net adware

Quote:
Originally Posted by yoopermjm
I never found the line "O2 - BHO: SDWin32 Class - {8AB46D8A-693A-4E19-A406-D9BCA953DE10} - C:\WINDOWS\System32\gujfh.dll" and so could not delete it.?
Are you sure that it is not just there under a new name?
Is this file gone: C:\WINDOWS\System32\gujfh.dll

Quote:
Originally Posted by yoopermjm
In my earlier efforts to solve this problem, I ran msconfig and turned off all the start programs save a precious few (sorry I didn't tell you that earlier, I did so many things to try to heal this that I forgot that one). Now if I run msconfig again, there are a bunch of start-ups listed that I don't know what they are, and one I do, which has the "tyavul.exe" program in it. Obviously, I won't re-check it, but is there a way to delete it from even being a possibility in my start up menu?
The method I was giving you using HijackThis before was how to remove it completely.
Follow that procedure and delete the file too. You may have to stop msconfig from disabling it first.

Quote:
Originally Posted by yoopermjm
To prevent this from happening again, I will keep current and run regularly adaware and spybot. I also installed and enabled Spywareblaster. As I stated earlier, I already have ez-antivirus up and running and current, as well as blackice firewall. Is there any other precaution I can take to protect myself from this ordeal in the future?
SpywareGuard is good to have too. And are you using a firewall?

Quote:
Originally Posted by yoopermjm
You have healed my computer and helped me immensely and I am very grateful. Do you take donations from those you help or is there a place I can contribute to further your efforts to protect us from these scourges?
No donations! Just thanks! And spread the word - Majorgeeks is great!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 23:45.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger