popups from cs.valuead.com

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sethworld, Nov 2, 2004.

  1. sethworld

    sethworld Private E-2

    I am have the cs.valuead.com pop-ups too. I have run 3 different adware/spyware softwares and nothing seems to rid me of it. The valuead.com site support email doesn't work. Please help! I have attache the hijackthis log
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sethworld,

    You should have started your own thread for your problem. Even though you mention the same issues as Debbie, we prefer to work one users problem in a thread. Also note HJT is not the first step. We require that you first follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    I'm splitting you off to your own thread. Run the above and then come back and tell use where you stand.
     
  3. sethworld

    sethworld Private E-2

    I have gone through most of these steps already. I would just like to know what in the hijack file would be causing the cs.valuead.com popups.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are suppose to run ALL of the steps not some of them. You have additional trojan problems that possibly would have been fixed if you ran all the steps.

    I'm not sure what this FSRremoS.EXE application is for. Do you know?
    Is it something for a Mouse?
    C:\WINDOWS\system32\FSRremoS.EXE

    You need to place HJT into a proper directory to avoid problems with loosing backups.

    Make sure you have system restore disabled and viewing of hidden files enabled.
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
    C:\Documents and Settings\smohs\Application Data\rcrw.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    Did you add this next line to your hosts file. It is for Internap Network Services. If you do not know what it is for, include it in the list to fix, otherwise skip it and continue.
    O1 - Hosts: 64.95.50.45 atldc-exchvs01
    O2 - BHO: (no name) - {63A83050-E715-0EE3-8621-635509F47B19} - C:\WINDOWS\system32\kbtjk.dll
    O4 - HKCU\..\Run: [Scer] C:\Documents and Settings\smohs\Application Data\rcrw.exe
    O4 - HKCU\..\Run: [Plwur] C:\WINDOWS\system32\w?nspool.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

    Boot into safe mode and use Windows Explorer to delete:
    C:\Documents and Settings\smohs\Application Data\rcrw.exe
    C:\WINDOWS\system32\kbtjk.dll

    No reboot in normal mode and tell me how things are working.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds