Help!! Windows explorer troubles, Popups, internet keeps disconnecting by itself?

Please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the links below:

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

LSP - Fix


Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing


First Step:

Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the dolsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move dolsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Second Step:

IExtract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment (do it later when we reconnect). Make sure you wait long enough for it to complete. A window with the log will popup when it finishes.

Third Step:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!
Come back here and post as attachments the l2mfix log the find.bat log (normally already named output.txt) and a new HJT log (this will require two posts as only two attachments can be made in a message).Based on those logs, we will determine the next steps. Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

 

Okay let's continue the cleanup. You must ALWAYS remember to exit all browsers before running HijackThis. You had IE running as shown by this line:
C:\Program Files\Internet Explorer\IEXPLORE.EXE

It is not a good idea to use Ares. It contains adware.

Running a pirated copy of SpySweeper is also a bad idea. SpySweeper v3.0 b113 with crack

Who knows what problems you may have picked up from the sight you got that from.

You should uninstall Spyware Remover, it is on the below list of rogue/suspect spyware removal tools.
http://www.spywarewarrior.com/rogue_anti-spyware.htm


Step 1:

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Again, don't run any other files in the L2MFix folder.

Step 2:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\system32\fmxowlui5.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.portalsearching.com/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.portalsearching.com/search.php?phrase=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {2F5DBEBF-C9D9-6020-C070-CDE66F65F4CC} - C:\WINDOWS\system32\fjdabevy.dll
O2 - BHO: (no name) - {702DB1CA-CC6C-2D8E-376D-4763760D0AF8} - C:\WINDOWS\system32\jseofwzp.dll
O2 - BHO: (no name) - {8A4F2B07-16F9-F168-3125-28E4FF97CBD9} - C:\WINDOWS\system32\tsngbzmc.dll
O4 - HKLM\..\Run: [GIF] c:\WINDOWS\System32\GIF89a

O4 - HKLM\..\Run: [g] C:\WINDOWS\System32\abgmix.exe

Do you recognize this next line? It seems suspicious to me. If not, fix it too.
O4 - Startup: Deer Hunter 2005 Registration.lnk = D:\Program files\Deer Hunter 2005\Deer Hunter 2005\ATR1.EXE

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O15 - Trusted Zone: *.media-motor.net
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamp.babenet.com/cabs/videox.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {34A44FCF-50E3-63A5-A8DA-7835752B9571} - http://www.captaincode.com/ccbar/ccbar.cab
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.sexxx-direct.com/BHO.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/106599cc3a9e8c4d5019/netzip/RdxIE601.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://192.168.123.221/web/NetCam.cab
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.com/dialer/canada_ver3.CAB
O16 - DPF: {91413D86-9F27-402C-B5E3-DEBDD122C339} - http://content2.netvenda.com/sites/games-intl/ca/games5.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/ca/games1.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12A86ADC7} - file://C:\WINDOWS\system32\SearchBar\zpprf1sh.exe
O16 - DPF: {9D0A9D98-5221-430A-A02D-76F0827C82D1} (ADialer Class) - http://www.dialer-shop.com/im6/celebrita.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://play.hoylegames.com/cab/WONWebLauncherControl.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.47/ttinst.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/UCSearch.CAB
O16 - DPF: {FFFF0021-0002-101A-A3C9-08002B2F49FB} - http://www.7adpower.com/dialer/A091AEM.exe
O23 - Service: ulzopzalzkxy - Unknown - C:\WINDOWS\system32\fmxowlui5.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\fmxowlui5.exe
C:\WINDOWS\system32\fjdabevy.dll
C:\WINDOWS\system32\jseofwzp.dll
C:\WINDOWS\system32\tsngbzmc.dll
c:\WINDOWS\System32\GIF89a
C:\WINDOWS\System32\abgmix.exe
C:\Program Files\PartyPoker <-- the whole folder
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.


Step 3: Come back and post follow up logs
Now reconnect to the internet and come back here and post and attach the L2MeFix Log and a new HJT log.

Okay after doing the above DO NOT REBOOT.

 

Looking better! Now run the find.bat file from the Generic Detection Tool again and post its log. We need to make sure everything was found and fixed.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {2F5DBEBF-C9D9-6020-C070-CDE66F65F4CC} - (no file)
O2 - BHO: (no name) - {702DB1CA-CC6C-2D8E-376D-4763760D0AF8} - (no file)
O2 - BHO: (no name) - {8A4F2B07-16F9-F168-3125-28E4FF97CBD9} - (no file)
O4 - HKCU\..\Run: [spywatch] D:\Program files\Spyware Adware Remover\SpywareRemover\SpyWatch.exe /STARTUP

After clicking Fix, exit HJT.
Reboot into normal mode and post a new HJT log.

And tell us how things are working.

 

I would like to know where you went surfing between your last HJT log and this one and what you were downloading and installing. You have a whole bunch of new bad stuff in your log now.

Can you explain?

I can! You reinstalled the pirated software again and all your problems are back and then some. If you insist upon using this illegal software, I cannot and will not keep working on trying to repair your system.

 

Is your copy of Windows legal? If so, re-activate it.

 

I don't understand what you are saying. We already were in Normal Startup mode as far as msconfig is concerned and you said

So how did they come back if you uninstalled them. They would have to be reinstalled.

 

No! According to the HJT log in message # 11, msconfig was not in use.
Also, msconfig does not reinstall software.

Do are you now saying that you did not follow my directions and you never uninstalled the software?

 

Well let me ask one more question that! Earlier when you said you uninstalled those two programs, tell me how you did that.

 

Uninstall them again and delete the install executables from your PC now!
If you want to use a shareware version of SpySweeper we can add that later but do not use the one you have anymore.

Also look in Add/Remove Programs for and and uninstall if found:
- BullsEye Network
- Web_Rebates
- Windows ServeAd or Windows AdStatus

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {2F5DBEBF-C9D9-6020-C070-CDE66F65F4CC} - (no file)
O2 - BHO: (no name) - {702DB1CA-CC6C-2D8E-376D-4763760D0AF8} - (no file)
O2 - BHO: (no name) - {8A4F2B07-16F9-F168-3125-28E4FF97CBD9} - (no file)
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load
O4 - HKLM\..\Run: [k] C:\documents and settings\2003200\local settings\temp\k.exe
O4 - HKLM\..\Run: [FZyd] C:\documents and settings\2003200\local settings\temp\FZyd.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Windows ServeAd <--- the whole folder
C:\Program Files\Windows AdStatus <--- the whole folder
C:\Program Files\Web_Rebates <--- the whole folder
C:\WINDOWS\system32\bridge.dll
C:\documents and settings\2003200\local settings\temp\k.exe
C:\documents and settings\2003200\local settings\temp\FZyd.exe
C:\Program Files\BullsEye Network <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Yes, Powerscan is bad. I meant to ask you to look in Add/Remove programs for it and to uninstall it if found. Let me know if you do find it there. After that do the below (I'm assuming it has no uninstall and maybe it relates to those other items):

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {2F5DBEBF-C9D9-6020-C070-CDE66F65F4CC} - (no file)
O2 - BHO: (no name) - {702DB1CA-CC6C-2D8E-376D-4763760D0AF8} - (no file)
O2 - BHO: (no name) - {8A4F2B07-16F9-F168-3125-28E4FF97CBD9} - (no file)
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Power Scan <--- the whole folder

Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

By the way about 99% of the people who have Viewpoint Manager software do not use it and do not even know what it is or where it came from. AOL sneeks it into your system without asking permission. You should uninstall it too.

 

Please download and install Registrar Lite

Run it, click on the magnifier glass to do a search and then enter the following string to look for and hit Enter
2F5DBEBF-C9D9-6020-C070-CDE66F65F4CC

Copy back here all the matches you get.

Repeat the search for the other two CLSID's:
702DB1CA-CC6C-2D8E-376D-4763760D0AF8
8A4F2B07-16F9-F168-3125-28E4FF97CBD9

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixbho.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fixbho.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Then reboot and post a new HJT log

 

Damn! Get a HJT log from that computer if you can!

What happens when you try to connect?

 

Are your two PC's connected on a network?

 

Try using HJT to fix those three O2 - BHO lines now!

Does that help? Did they actual fix? Get another log to see.

If not, download Mozilla Firefox using your other PC and transfer it to the problem PC. Then install FireFox and see if you can connect.

 

How are you back on the net? By using FireFox?

 

OKAY! So then I wonder if the registry merge actually work. Go back to RegistrarLite and search for those CLSID's again. Do you get the same info?

I'm gotta get some sleep now. Talk with ya tomorrow!

 

When you double clicked on the file, did it tell you that it added the items to the registry?

 

Before we go any further on this let's get the registry backed up!

Download, install and run ERUNT to back up your registry. Just install it and it should prompt you to do the Backup the Registry.

 

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:
2F5DBEBF-C9D9-6020-C070-CDE66F65F4CC

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Repeat the above steps for each of the following values:
702DB1CA-CC6C-2D8E-376D-4763760D0AF8
8A4F2B07-16F9-F168-3125-28E4FF97CBD9

If those searches do not work, try putting { } around the stings first. Like:
{2F5DBEBF-C9D9-6020-C070-CDE66F65F4CC}

 

Strange??? Those are exactly the lines I had in the registry merge I gave you before. Seems like the merge only fixed the 3 BHO items but not the other two entrie for each key.

Try the below and make sure you do exactly what I say:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixstats.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Close all applications you have running and exit all Internet Explorer and other browsers sessions.

Double-click on the fixstats.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Immediately afterwards, run HJT and save a new log. Now open your browser and come back here and post the HJT log.