Browser settings reset selves!

My IE/Yahoo browser has a place under Settings for Internet Options, Privacy tab, Popup Blocker, Settings. Then it has a spot to allow popups from certain sites which I could add. I never add to this, but every time I log on it says to allow them from lop.com and search200.com. I delete them, they reappear. I know they are adware of some sort, but how do they change my settings? I have SpySweeper, Adaware and Spybot s&d...also windows washer (webroot). I have Windows XP as the OS, Norton's for virus protection. I recently removed a plague of spyware, my kids had downloaded kazaa and who knows what all. I'm only moderately computer literate.

Also, what are these Traffic Marketplace popups?

I have the Hijack This logfile if anyone needs to see it.

Thanks loads-Beth

 

Sorry, don't want to waste your time, let me do all that tutorial stuff. Guess I found it last...I'll post back.

 

I did the whole tutorial thing and that stuff is still in my browser.

Have Windows XP w/ SP 2, Version 2002, Computer is Pentium 4 cpu, 200 GHz, 512 MB of RAM. Hope that's enough info. I did another Hijack This logfile after I did all the tasks. Thanks again.

 

Sorry, can't figure out how to make an attachment of this. Sure tried to do it all correctly. Thanks.....

 

Ok..wow..
lets start off with going to add remove and removing
P2P software
Smiley Central
Wild Tangent

anything saying ALL BEAUTIFUL GIRLS and AMAZING TENS

The weather bug should go too.

Get rid of spysweeper and window washer

when you're done with that, I want you to download the following and then run them in safe mode

http://downloads.subratam.org/PeperFix.exe
peperfix

http://www.majorgeeks.com/download.php?det=4281
a-squared (a²) Free edition 1.1 (requires free registration)

Run them.. reboot run HTJ and make sure you "fix" the following

O4 - HKLM\..\Run: [AllBeautifulGirls] "C:\Program Files\AllBeautifulGirls\AllBeautifulGirls.exe" /H
O4 - HKLM\..\Run: [AmazingTens] "C:\Program Files\AmazingTens\AmazingTens.exe" /H
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [374U3pP] faudo20.exe
O4 - HKLM\..\Run: [saap] c:\windows\180solutions\saap.exe
O4 - HKCU\..\Run: [Iwv8RfjpX] filocvw.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


reboot , run HJT again and post another HJT log.

 

OK, thanks, Kodo, did all that. Here's the new logfile, unfortunately still not in attachment form.


EDIT by chaslang: inline log changed to an attachment

 

Kodo
would running PestPatrol

take care of that P2P?

 

Hi Betheny,

Run HijackThis and Check the boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dqqfcgkjacoejuavjb.net/R...XJMKR6FnI2N.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.donuxqxsetppqhwgmblpo.co...3z6AUVp_Ag.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.donuxqxsetppqhwgmblpo.co...3z6AUVp_Ag.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qxzrsapalvranoflbko.com/...JMKR6FnI2N.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {332FA278-E4C7-5E7C-8EFC-D53741E8BD94} - C:\PROGRA~1\SUPPOR~1\Softwareroam.exe (file missing)

O2 - BHO: (no name) - {68EC57DE-7919-5A24-D8C5-CED1853D2558} - C:\DOCUME~1\BETHEN~1\APPLIC~1\SUPPOR~1\Softwareroam.exe

O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

O3 - Toolbar: (no name) - {4B845B71-EDB2-4679-B65D-73F1A4D7224A} - (no file)

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/...lim/install.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v5.cab

Make sure ALL browser windows are CLOSED when you click FIX.

Also, please DELETE C:\WINDOWS\System32\P2P Networking Be careful to delete only this folder - P2P Networking
You may have to enable the viewing of hidden folders.

Reboot and attach a fresh log. When you are given the "Save Log" option with HJT, save as a .txt file. Then, ATTACH your log via the "Manage Attachments" tool under Additional Options when you post.

I'm logging off, but I'm sure Kodo will check back.

Best luck,

PP

 

PP-
Did all that, I'm getting there. You guys are great!

 

close all Internet Explorer windows
run HJT
and fix these


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.wkfieqtdgcla.org/R_Z0MODeG9tvO3jAbqDl2bXmAybhAfLajwrbKlT/3avUPykHp9g7UHJMKR6FnI2N.jpg

O16 - DPF: DigiChat Applet -
http://host6.digichat.com/DigiChat/DigiClasses/Client_IE.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
http://ftp.us.dell.com/fixes/PROFILER.CAB

and this must go

O4 - HKLM\..\Run: [media delete bin noun] C:\Documents and Settings\All
Users\Application Data\HopeDefyMediaDelete\admin barb.exe

 

Betheny,
I must apologize. Hard to explain, but I basically wrote a program that scans logs and produces results of bad items. It runs off a database and I made a mis-entry for window washer and spysweeper. They ARE infact, legitmate software and are NOT spyware. Thanks PP, for catching my mistake and apologies to Betheny. You are clear to reinstall those applications at your liesure.


this has to go

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wkfieqtdgcla.org/R_Z0MODeG9tvO3jAbqDl2bXmAybhAfLajwrbKlT/3avUPykHp9g7UHJMKR6FnI2N.jpg

this one is up to you
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

look here for info on it and scroll to the TGCMD listing
http://www.answersthatwork.com/Tasklist_pages/tasklist_t.htm

This is also listed as spyware
O4 - Startup: PowerReg SchedulerV2.exe

if that is listed in your add/remove, then remove it and then delete that HJT entry.

 

"OK....wow."

Yeah I get that a lot. Would you believe I paid good money to bring these kids into the world? And they unleashed a plague of spyware....

Still working on it, still thanks.

 

when you think you're done, post a new log.

 

Latest log...
Also a squared uncovered 52 bits of malware, all in .tmp files. Diagnosis says Spyware.Win32.Wintol.j. Any ideas on that? I removed it w/ a2 but it seems to come back.

 

fix this
and make sure your system restore is disabled

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.nlzkcqijai.net/R_Z0MODeG9tvO3jAbqDl2bXmAybhAfLajwrbKlT/3avN3dlP8DVNBHJMKR6FnI2N.cg

 

Empty your intenet cache
Do a search on your machine for *.TMP and delete them ALL. temp files are not needed.

 

All right, Mr. Smarty Pants! What do you make of this one
c:\progra~1\intern~1\iexplore.exe. . . . .
Since this is legit C:\Program Files\Internet Explorer\iexplore.exe ??

PP

 

DRAT!! I'll stump you yet, Mr. Smarty-Pants! Mwuh ha ha hah!