Major PopUp/Virus/Spyware problems!!!

Theg02guy · Mar 29, 2005

Hey, I saw how ya'll helped out someone else having the same problems as me, and was hoping you could help me out as well!

I have norton Anti-Virus, Microsoft AntiSpyware, Ad-aware, SpyBot...and I still keep getting popups and other VERY annoying things.

One of my biggest problems is Norton will find problems, but wont be able to delete all of them!!!
I have wrote down a few of the viruses & PopUp Banners, hopefully ya'll will be able to help me out! ANY help would be VERY appreciated.

ads1.revenue.net
randreco.exe
nkkbde.exe
minibugtransporte
exp.exe
wintask.exe
wpnudsdk.exe
wshelper.exe
wupdt.exe
temperror32.dat
ads.deskwizz.com
ads1.searchmiracle.com
atx marketing <<<This is ALWAYS popping up
Ceres

and then one of the banners has been advertising Party Poker. (i dont even play poker!!!)

once again, ANY help would be SO very helpful!!

thanks

Theg02guy · Mar 29, 2005

another few files that I have found, but have been unable to rid myself of are:
Euniverse
ceres.dll
Farmmext.exe
thnall2c.exe
SearchingBooth.com
buddy.exe
and Pacis.exe
thanks again!

Qwertyman66 · Mar 29, 2005

Have you tried looking at the tutorial located at

http://forums.majorgeeks.com/showthread.php?t=35407

'cos thats going to be one of the first things that you will get told to do. If you run through there and post back and tell us what happened.

Rick_Lincoln · Mar 29, 2005

Hi OP #3 is right.... you need to get rid of as much of this crap as you can so the guys here can help you.... run through the read me... sticky. It is not as bad as it looks. It took me approx 1.5-2 hours to go through it all including the downloads bit! I admit that I did not do the online virus scans because I could not get on the net but the programmes listed found stuff that all the others missed!! And I have Norton, MS antispy, Ad-Aware etc. too!
It will clear a lot of crap out and then the guys will be able to see more clearly what is happening!

Good luck

Rick

Theg02guy · Mar 29, 2005

thanks guys, I'm in the process of doing all of it.
I appreciate all the help I can get!!
Thanks again!

-Poor College Kid..

Theg02guy · Mar 29, 2005

I'm still having the ATX marketing and Ad1.----whatever pop ups.
this is driving me crazy!

I did all the steps on the first page.
I am on the verge of reformatting it, but I dont even know if that'd solve my problem.

chaslang · Mar 29, 2005

If you ran all the steps in the READ ME FIRST then follow the steps below.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Theg02guy · Mar 31, 2005

Hey, Sorry it took so long, I got caught up in school.

THanks again!!

(imnot getting as many popups now, but the ATX Marketing and Ads1 are still popping up with a few others.)

chaslang · Mar 31, 2005

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\IEXPLOR.exe
C:\WINDOWS\system32\rsoajv\qjik.exe
C:\WINDOWS\system32\qdvacnd\jfujd.exe
C:\WINDOWS\system32\dmksybi\gfqvt.exe
C:\WINDOWS\system32\uupo\ejafnsx.exe
C:\WINDOWS\system32\mdgdcenc\jgntr.exe
C:\WINDOWS\system\ufrh.exe
C:\WINDOWS\system32\wpnudsdk.exe
C:\WINDOWS\system32\domjd\ymwispjq.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [ilggcn] C:\WINDOWS\system32\idxn\ilggcn.exe
O4 - HKLM\..\Run: [glrnl] C:\WINDOWS\system32\npgwcjn\glrnl.exe
O4 - HKLM\..\Run: [leikpe] C:\WINDOWS\system32\yceqvkfm\leikpe.exe
O4 - HKLM\..\Run: [faxfi] C:\WINDOWS\system32\rpemoc\faxfi.exe
O4 - HKLM\..\Run: [avtvl] C:\WINDOWS\system32\ktknq\avtvl.exe
O4 - HKLM\..\Run: [gfqvt] C:\WINDOWS\system32\dmksybi\gfqvt.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitezvo32.exe
O4 - HKLM\..\Run: [ejafnsx] C:\WINDOWS\system32\uupo\ejafnsx.exe
O4 - HKLM\..\Run: [qjik] C:\WINDOWS\system32\rsoajv\qjik.exe
O4 - HKLM\..\Run: [jfujd] C:\WINDOWS\system32\qdvacnd\jfujd.exe
O4 - HKLM\..\Run: [gndrqyh] C:\WINDOWS\system32\kkdhecgq\gndrqyh.exe
O4 - HKLM\..\Run: [ymwispjq] C:\WINDOWS\system32\domjd\ymwispjq.exe
O4 - HKLM\..\Run: [jgntr] C:\WINDOWS\system32\mdgdcenc\jgntr.exe

Ares is known to contain Adware! Consider uninstalling it!
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [h0ptRiatQ] wpnudsdk.exe
O23 - Service: avtvlktknq - Unknown owner - C:\WINDOWS\system32\ktknq\avtvl.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: ymwispjqdomjd - Unknown owner - C:\WINDOWS\system32\domjd\ymwispjq.exe

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WildTangent <--- the whole folder
C:\WINDOWS\system32\rsoajv <--- the whole folder
C:\WINDOWS\system32\qdvacnd <--- the whole folder
C:\WINDOWS\system32\dmksybi <--- the whole folder
C:\WINDOWS\system32\uupo <--- the whole folder
C:\WINDOWS\system32\mdgdcenc <--- the whole folder
C:\WINDOWS\system32\domjd <--- the whole folder
C:\WINDOWS\system32\idxn <--- the whole folder
C:\WINDOWS\system32\npgwcjn <--- the whole folder
C:\WINDOWS\system32\yceqvkfm <--- the whole folder
C:\WINDOWS\system32\rpemoc <--- the whole folder
C:\WINDOWS\system32\ktknq <--- the whole folder
C:\WINDOWS\system32\dmksybi <--- the whole folder
C:\WINDOWS\system32\kkdhecgq <--- the whole folder
C:\WINDOWS\IEXPLOR.exe
C:\WINDOWS\system\ufrh.exe
C:\WINDOWS\system32\wpnudsdk.exe
C:\windows\system32\elitezvo32.exe <-- also look for and delete any other files starting with elite and ending with .exe There could be a bunch more.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

We may need to run some additional steps to remove those O23 Service lines.

Theg02guy · Mar 31, 2005

I'm getting an error when i try uploading the Hijackthis file...

but I am proud to say that I think ya'll have done it! no more popups (yet)
(About the Ares thing, I had that like a year ago, and had since uninstalled it...so I'm not sure how/why I still had it)

Anything I can do to help prevent these sorts of things from getting on my computer again? I have adaware, Spybot, Microsoft AntiSpyware, and Norton (although I just got it, and it already seems to be on the fritz...)

Thanks again! I'll see if I can upload that attachment!!

Theg02guy · Mar 31, 2005

here it is!

Thanks again!!!

chaslang · Mar 31, 2005

You missed a couple, follow the same procedures as last time.

O4 - HKLM\..\Run: [ymwispjq] C:\WINDOWS\system32\domjd\ymwispjq.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitezvo32.exe

Make sure you look for all file beginning with elite and ending in .exe and delete all of them while in safe mode.

Delete:
C:\WINDOWS\system32\domjd <--- the whole folder
C:\windows\system32\elitezvo32.exe

Theg02guy · Mar 31, 2005

heres the latest file.

I Fixed the two with hijack this, but the two files were not present when I went into safe mode.

Hows it look?

chaslang · Mar 31, 2005

Okay! Now your clean! To help keep you that way, it is time to make sure you have completed all the steps (or their equivalents) in the below thread:

How to Protect yourself from malware!

Theg02guy · Mar 31, 2005

GREAT!

Thanks for all the help!!

chaslang · Apr 1, 2005

You're welcome! Surf safely!!

Log in or Sign up

Major PopUp/Virus/Spyware problems!!!

Theg02guy Private E-2

Theg02guy Private E-2

Qwertyman66 Private E-2

Rick_Lincoln Private E-2

Theg02guy Private E-2

Theg02guy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Theg02guy Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Theg02guy Private E-2

Theg02guy Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Theg02guy Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Theg02guy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member