Margaritaville

I was surfing some popup-heavy websites trying to find a Jimmy Buffett Margaritaville mp3 for my website last week and a couple hours later, I got back on my computer and there were literally HUNDREDS of popups on my screen. Somehow one or more of the websites I was on has installed adware onto my computer that is causing numerous popups. It is also causing normal words on webpages to turn into links. I don't know the names of all the adware, but I know I have eZula and SearchingBooth. I have tried running all the programs on your suggestion topic and for several minutes afterwards, there are no problems but then the adware seems to re-install itself and come right back. I have downloaded HijackThis but I know how you guys are about posting the log file so do you have any other suggestions or programs I could run that might help? Thanks!

 

Welcome

We ask that you please try to work through the following TUTORIAL first.
This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure someone wll help you. Everyone is quite busy, as you can see by the number of posts, so hang in there. Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

I did everything in the suggestion topic and nothing has helped--here is my HijackThis file...sorry to make more work for you guys but nothing else seems to be fixing it....thanks!

 

Hi msbehavin...I don't pretend to be an expert like the guys that will help you on here but....you need to update your HJ file. Its not the latest you also need to move it from your desktop. Follow the nstructions in The Old Thugs post

 

Ms, tblue is correct. Please update your HJT and put into a safe folder as explained in previous post. Place it in its own folder for example C:\Program Files\HJT. Resubmit log.

 

I'm sorry guys...I really did read the instructions but I have so many popups at this point that I can't even concentrate on what I'm doing....I hope I did it right this time, I followed the instructions....

 

Your getting closer. You have placed the HijackThis.exe file directly into the program file folder. Please make a folder called HJT in the program files folder and then put the HijackThis.exe into that folder. This must be done so that backups can be made.

Thus when you run it it will llok like this will be in C:\Program files\HJT\HijackThis.exe not C:\Program Files\HijackThis.exe

let me know if there is a problem

 

Ok did I do it right this time? I'm so sorry, I'm not very good at this..

 

You got it that time!

There are a lot of baddies in there - Give OldThug some time to work through them when he checks back in.

PP

 

Thanks guys -- you're the best!

 

You have alot to get rid of so let's get started.

Please look in Add or Remove Programs for the following and Uninstall them if found:

Weatherbug

After uninstalling this, some of the steps I show below related to WeatherBug may no longer be necessary but it does not hurt to make sure everything is cleaned up.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Click Start, and then click Run and type: regsvr32 /u 3839ieoj.dll and press enter. Repeat the process with the three files listed below.
regsvr32 /u MSW.dll
regsvr32 /u LinkBHO.dll
regsvr32 /u AUNBHO.dll

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

3839ieoj.exe
SysCheckBop32.exe
sys022666991812.exe
winupdt.exe
wxmqey.exe
slirax.exe
r?ndll32.exe (don't confuse with rundll32.exe)
inpkn.exe
oefwal.exe
soxrekos.exe
cewofmt.exe
prsxt.exe
juqd.exe
imaaalsl.exe
inpkn.exe
Weather.exe
cap6523.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.42.87.219/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html
O2 - BHO: (no name) - {0FA0A519-3DFA-433C-87C3-B86167473F0B} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {158F5A3A-A836-4526-A50C-41E6F51F4E01} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {17575017-937B-465C-AEAC-A8967726D0DC} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {187F90D9-E3D3-447D-A60B-6F1A31B29F1A} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {18910799-235A-4B18-A453-32E0AC8A4FBA} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {279C1F76-827C-463F-AB86-45CC8EE010B8} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {2E6BFF6F-15B3-47B2-821F-12E6763243E0} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {390A30DB-0A38-42F2-8B94-C97BA1EACBB8} - C:\Program Fles\3839ieoj\3839ieoj.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {4D523825-DCA6-4630-9978-3604D95C94E0} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\system32\AUNBHO.dll
O2 - BHO: (no name) - {68DA1DC7-41C4-4EFD-842D-274DA6F77DCE} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {7383A34F-2730-4F9D-A326-243E8AEEA544} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {7E4FE17B-DE84-4110-AC71-147B2CE4FB33} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {7E5F4787-A001-4F49-908C-F368AA756EED} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {80EFFCF9-91EB-4D42-AF8F-C91C1AC33F61} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {88928FC5-EAC9-4DC3-946D-8993A31E8AA8} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {8B5E5F67-611F-4BA4-A726-705E96DFF121} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {9D39CD5F-5C99-4AE3-8F24-6635727408DE} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {C5A6DD34-B729-4630-AF66-08DC059D37B9} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: LinkBHO.cIExplorer - {CC924BD1-7382-4619-A706-070CB00F2325} - C:\Documents and Settings\All Users\Application Data\linkbho\LinkBHO.dll
O2 - BHO: (no name) - {E3C84F92-D967-41F2-A2C3-9C26287CD3B3} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {E5A366CD-1229-4010-BE2A-02DC4FBD238C} - C:\Program Files\3839ieoj\3839ieoj.dll
O2 - BHO: (no name) - {F7591200-8CCA-4292-89F5-E8359A0A43F1} - C:\Program Files\3839ieoj\3839ieoj.dll
O4 - HKLM\..\Run: [rbklopt] C:\WINDOWS\System32\oefwal.exe
O4 - HKLM\..\Run: [3839ieoj] C:\Program Files\3839ieoj\3839ieoj.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [C:\WINDOWS\soxrekos.exe] C:\WINDOWS\soxrekos.exe
O4 - HKLM\..\Run: [tE7h34e] cewofmt.exe
O4 - HKLM\..\Run: [sys022666991812] C:\WINDOWS\sys022666991812.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [wxmqey] C:\WINDOWS\system32\ymrhpr\wxmqey.exe
O4 - HKLM\..\Run: [prsxt] C:\WINDOWS\system32\ahxhkgwc\prsxt.exe
O4 - HKLM\..\Run: [juqd] C:\WINDOWS\system32\uhbxyj\juqd.exe
O4 - HKLM\..\Run: [imaaalsl] C:\WINDOWS\system32\iroc\imaaalsl.exe
O4 - HKLM\..\Run: [inpkn] C:\WINDOWS\system32\mspxv\inpkn.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Qxpx] C:\WINDOWS\System32\r?ndll32.exe
O4 - HKCU\..\Run: [cponRQK2h] cap6523.exe

This next one if you don't recognize the address
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185XXUS

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

Any of these you don't recognize
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.com/save/makeover.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cabO16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50222/QDow_AS2.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0032.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file(s) and folder(s) if they should remain:

C:\Program Files\3839ieoj--->The folder
C:\Documents and Settings\All Users\Application Data\msw-->The folder
C:\WINDOWS\system32\AUNBHO.dll
C:\Documents and Settings\All Users\Application Data\linkbho---->The folder
C:\WINDOWS\System32\oefwal.exe
C:\WINDOWS\SysCheckBop32
C:\WINDOWS\soxrekos.exe
C:\WINDOWS\sys022666991812.exe
C:\WINDOWS\system32\winupdt.exe
C:\WINDOWS\system32\ymrhpr--->The Folder
C:\WINDOWS\system32\ahxhkgwc--->The Folder
C:\WINDOWS\system32\uhbxyj--->The Folder
C:\WINDOWS\system32\iroc--->The Folder
C:\WINDOWS\system32\mspxv--->The Folder
C:\Program Files\AWS\WeatherBug--->The Folder
C:\WINDOWS\System32\r?ndll32.exe (don't confuse with rundll32.exe)
Search for these next two:
cap6523.exe
cewofmt.exe

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Please make sure you use the HJT in the folder you just made, close all browsers when you fix lines.

 

Hey there, I followed your instructions and I definetly have a huge decrease in popups so far, but I am still getting a few. I attached my new HJT log along with this so maybe you could see if I overlooked anything...? Thanks so much for all your help!

 

I'm sorry I have to get to bed for the night. I will look at it tomorrow, maybe PP or Chas can get you a fix tonight.

 

It's really not a big deal if it gets done tonight, I know it must be annoying to deal with this all day, especially with clueless people like me when it seems like this comes as a second nature to you all. I ran the IstBar (sp?) removal program and that worked, and I attached my new HJT log. Most of my popups are gone but I am still getting some from TrafficMarketplace.com and there is a program running called 180 Search Assistant which I didn't install and can't uninstall. I'll be around for a bit longer since I have no early classes tomorrow, but don't worry about looking at the HJT log tonight if its a hassle!! Thanks so much for all your help

 

I am following your instructions right now..thanks

 

Ok, all done with that! I don't seem to be getting any popups at the moment which is a good sign!! Here is my HJT log so you can take one more look...thanks so much for your help! I'm heading to bed, I'll check back in the morning...Goodnight!

 

No more popups---thanks so much!!

 

Your welcome. So glad it got fixed. Be sure to Protect yourself as Chas said.