Difficulty getting rid of Netscape popup

A few weeks back I started to clean out my PC as spyware was starting to rear its ugly head. I followed all of the recommendations to the best of my abilities on the how to: spyware, Trojan, and virus removal. I run Windows 98 so I was not able to connect to the internet in safe mode. I followed the supplement scans as well and I did manage to clear up a few things but one persistant problem keeps popping up. Netscape will start up automatically and connect to an ad claiming to sell adware cleanup software, the address on the toolbar is best.globosearch. A further look at properties shows a source of gigsearch.biz. I have searched my computer for files associated with these names and I come up with a file called systr.dll
I have also downloaded Hijack this and have done a system scan. Any help from the experts here would be greatly appreciated. You already have helped a great deal just by having this site, you guys are awesome.

PS If it matters, If I leave my computer running unattented after a short time, Netscape always opens to the page mentioned above. Rescanning with Spybot and AD aware will then show new threats with no other activity in the mean time. Is this program automatically downloading new spyware? Thanks in advance for your help.

 

Hi Stargazer,

If you have exhausted the resources of the Cleanup Tutorial, then please go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Somebody will take a look when they get a chance.

Best
PP

 

Thank you for your reply. I am attempting to attach my Hijack this log. Please note that I did try to close out all programs when I ran Hijack this, including shutting down the programs in my task bar. I noticed that explorer.exe was still listed as a running program on the log along with some other programs. I hope I have done things correctly, thanks again for your prompt reply.

 

Hi Stargazer,

I gave you log a quick look - It doesn't look too bad.

Please look in Add or Remove Programs for the following and Unistall them, if found:

180 Solutions
TSA
Viewpoint

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure the Viewing of Hidden Files is Enabled as per the tutorial.
Now,scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)

O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINDOWS\SYSTEM32\POPUP_BL.DLL (file missing)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

O4 - HKCU\..\Run: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and navigate to and DELETE the following if they remain:

C:\Program Files\Viewpoint ---> The Folder
c:\program files\180solutions ---> The Folder
C:\PROGRAM FILES\COMMON FILES\TSA ---> The Folder

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

Best luck
PP

 

Thank you for the assistance. I followed the directions and waited a while to see if the problem reoccured. Unfortunately, if I leave my computer running, when I come back to it I have the same Netscape popup on my screen telling me I have spyware on my system. I have included another hijack this log. Is there anything else this could be?

 

I almost forgot, I could not find the 180solutions folder and theViewpoint folder to delete them. Also, when I went to Add/Remove programs as the first step, I fould the programs, but it said that the files were missing and could not be uninstalled. I did a file search for 180 and Viewpoint and came up with some dat files and winzip file and several files that appeared to be logs of spybot and the like. Just wanted to give you complete info, Thanks.

 

I still have not had any luck getting rid of my Netscape intruder. I have tried scanning the Netscape files looking for recently created or modified files and have deleted anything suspicious. However, my computer still automatically starts Netscape and goes to best.globosearch.com I rarely use Netscape and I am considering deleting it entirely. Especially since I think when this popup appears and is left open for a while it starts to download spyware. If anyone has any ideas please help. Thank You.

 

Hi Stargazer,

Your HJT log looks OK. I don't know why Netscape behaves like that. Did you try resetting your web settings? I'll ask Chaslang for a 2nd opinion.

For the 180 Solutions and Viewpoint, try looking in Program Files for remnants and deleting them.

PP

 

Thanks to everyone here who is helping out, you guys/gals are an unbelieveable help. Unfortunately I am still having the same problem. It is not causing any noticable performance changes in my system, it just gives me the chills knowing that someone has the ability to get my computer to do something I don't want it to.
More information on what I have found. The site that my computer gets directed to is best.globosearch.com So I did a search for files containing this text and found a file in System 32 that was created at the time my problem popped up. The file is called systr.dll. Since it was recently created I figured it would be OK to delete it. However, I have been unable to do so as my system says Windows is currently running this program. I opened the program using notepad and tried manually deleting the file and replacing it and I was told that the new file could not be saved and reverted back to the unmodified version.
Now these attempts are beyond my understanding of the inner workings of Windows so these steps may have been huge no nos. If you have any ideas please let me know. Thanks again for all of the great help this site and people give.
edit- sorry one more thing. My default setting for the net is Explorer and have changed any settings that mention Netscape when the problem first appeared.

 

OK, here is what happened when I tried the instructions.
An error window appeared titled Regsvr 32 stating
C:\Windows\System32\systr.dll was loaded but the DllUnregister Server point entry point was not found
DllUnregister server may not be exported, or a corrupt version of C:\Windows\System32\systr.dll may be in memory
Consider using PView to delete and remove it.

 

Hi Stargazer,

Please download the following tool:

Pocket KillBox

Run KillBox and select the Delete on Reboot option. Then, Copy and Paste C:\Windows\System32\systr.dll into the window and Click the red X to Delete and then YES or OK until you reboot. See if that does the job.

PP

 

PhilliePhan,
Thank you, Thank you. systr.dll appears to be gone. I've got my fingers crossed that this takes care of my issue. I am this close >< to doing the happy dance. If it pops back up I'll let you know.

 

You're welcome! Happy we could help

You might be well served to implement some of Chas' recommendations: How to Protect yourself from malware!

PP