Internet Explorer Script Error, popups from cs.valuead.com

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by debbie5165, Oct 7, 2004.

  1. debbie5165

    debbie5165 Private E-2

    I have read and followed through with the cleaning of my computer in this post
    http://forums.majorgeeks.com/showthread.php?t=35407
    I have ran the following programs in SAFE MODE and Normal Mode after disabling the System Restore in WINXP
    *Ad-Aware SE w/Ad-Aware VX2 Cleaner Plug-In
    *CCleaner
    *Spybot
    *McAfee AVERT Stinger
    *CWShredder
    *about:Buster
    *HSRemove

    I have also ran virus scans and trojans scans on my computer.

    I am still getting the popups and script errors, I am actually not getting the popups as I have a popup stopper running. But it alerts me when it blocks one.
    I have a picture of the error here - http://home.comcast.net/~debbie5165/scripterror.jpeg

    each time my popup stopper block one it leaves a little bit of information in my history as can be seen in this picture - http://home.comcast.net/~debbie5165/history.jpeg

    Another error message about ActiveX... do I have my settings wrong. I restored everything to default??

    http://home.comcast.net/~debbie5165/activexerror.jpeg
    http://home.comcast.net/~debbie5165/settings.jpeg

    I have a few lines in my hijack report that I think is causing it, but i am not sure what to do. I am not afraid of the computer and have been in the registry before. Just need a little guidance :)
     
  2. jarcher

    jarcher I can't handle a title

    chek you advanced tab, does it look close to these settings?
     

    Attached Files:

  3. debbie5165

    debbie5165 Private E-2

    I have the first one that you have circled checked, do not have the middle on, and the last one is unchecked
     

    Attached Files:

  4. Kodo

    Kodo SNATCHSQUATCH

  5. debbie5165

    debbie5165 Private E-2

    I rebooted and closed all programs in the taskbar, as told :)
     
  6. debbie5165

    debbie5165 Private E-2

    forgot to name it a txt file, so here it is now
     

    Attached Files:

  7. Kodo

    Kodo SNATCHSQUATCH

    a few problems
    It looks like you may have a peper trojan.
    Boot to safe mode and run this application

    Peperfix
    http://tools.zerosrealm.com/PeperFix.exe

    check your add/remove for SEARCHMIRACLE entry and remove it.

    You also have syncroad. You should be able to remove this via add/remove. If not then you need to follow this

    then find the files WinSync.exe and SyncroAd.exe and delete them.

    you can get rid of these entries in HiJackThis but make sure NO browser windows are open including the one you're reading this in.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKCU\..\Run: [Sbcp] C:\Documents and Settings\Just Us\Application Data\aucr.exe [Possible Trojan!]
    O4 - HKCU\..\Run: [Aantd] C:\WINDOWS\System32\w?wexec.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com
     
  8. debbie5165

    debbie5165 Private E-2

    Peperfix ** found none :)

    check your add/remove for SEARCHMIRACLE entry and remove it. ***wasnt there
    open up your task manager (CTRL+SHIFT+ESC) , choose processes tab and select WinSync. Right click on it and choose "end process tree". ***wasnt running

    then find the files WinSync.exe and SyncroAd.exe and delete them. ***wasnt there
    you can get rid of these entries in HiJackThis but make sure NO browser windows are open including the one you're reading this in.
    ***did this and i am happy to say that for the last five minutes of web surfing I am finally pop up free ;) yippee!!!

    THANK YOU
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Kodo,

    I think this O2 line should be suspect too:

    O2 - BHO: (no name) - {1BA9197F-EC4D-2BEA-8724-63550A84296B} - C:\WINDOWS\System32\mvtbok.dll
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should reboot (to make sure problems are really gone) and then create a new HJT log and post it.
     
  11. Kodo

    Kodo SNATCHSQUATCH

    woops...yes, I did see that one but must have forgot the copy and paste of it.
     
  12. Kodo

    Kodo SNATCHSQUATCH

  13. debbie5165

    debbie5165 Private E-2

    I will down load that and run it as something is still in here, the pop ups are gone but something is leaving crap in my history still as you can see. I am off to work in a half hour will try to run that , reboot and get another hijack report ran :) THANK YOU
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you closed all browsers and had HJT fix the O2 line I gave you earlier:

    O2 - BHO: (no name) - {1BA9197F-EC4D-2BEA-8724-63550A84296B} - C:\WINDOWS\System32\mvtbok.dll

    If not, fix it. And then boot to safe mode (make sure viewing of hidden file is enabled) and uses Windows Explorer to delete:
    C:\WINDOWS\System32\mvtbok.dll
    C:\Documents and Settings\Just Us\Application Data\aucr.exe
    C:\WINDOWS\System32\w?wexec.exe

    Then reboot in normal mode and let us know how things look.
     
  15. debbie5165

    debbie5165 Private E-2

    O2 - BHO: (no name) - {1BA9197F-EC4D-2BEA-8724-63550A84296B} - C:\WINDOWS\System32\mvtbok.dll *removed :)

    If not, fix it. And then boot to safe mode (make sure viewing of hidden file is enabled) and uses Windows Explorer to delete:
    C:\WINDOWS\System32\mvtbok.dll *removed
    C:\Documents and Settings\Just Us\Application Data\aucr.exe *wasnt there, although there was one in the prefetch, so I deleted all files in prefetch, I thought that the cleaner was clearing this but it had 87 items in there after I ran it so I did it myself
    C:\WINDOWS\System32\w?wexec.exe *I couldnt find this file, the closest match was one that was called wowexec.exe so I left it there

    I ran all the programs again in safe mode and the only one that found anything was spybot, it keeps finding the same 5 DSO items that end with zones/0/1004!=w=3, each time I run it it finds the same 5 items.

    My history is true to the websites I have been on, and no more pop ups, the only thing that keeps popping up is the activex error, so I dont have a setting correct in there somewhere.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  17. Vlad7077

    Vlad7077 Private E-2

    Yes I have the same cs.valuead error, it came after I deleted some programs I thought were causing popups. Im assuming IE is bugged or something. I followed the same steps you did and it didn't seem to do much of anything for me either.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds