Popups are baaaack!

Okay, I need some help. I followed the instructions to the letter of "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal", and in fact, thought I had kicked my problem. I have not.

In addition to the required 4 steps, I installed Zone Alarm and replaced the Microsoft Java with Sun Java.

Here's the problem. I am getting popups my popup blocker(s) cannot stop. I think I know when I downloaded this bad boy -- I was looking for CurveBall and the first site I tried asked if I wanted to download Active X. Foolishly, I did. Anyway, I have seen the EbayMoeMoney.exe in my services, but after the barrage of detectors and immunizers, it is gone. The popups disapeared for a while, but now they are back.

I am running XP with a cable connection. Can you help me? Just tell me what to do...

Thanks,
Scott

 

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

• Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here's the log file.

Thanks!

 

A little more information. Zone Alarm has blocked this request 3 times now. I don't know what it is:

"www.abetterinternet.com - Utility for downloading files and up" is trying to access the Internet

Validation: not available in Zone Alarm
Application: rndrcus.exe
Destination IP: 24.28.131.62.DNS

Another peice of the puzzle, I hope.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ebates

Web Reabtes

Viewpoint

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

ViewMgr.exe

ptcore.exe

bcqkgs.exe

packager.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: Window Shades - {B5B57F4F-EFA5-11D4-A971-444553540000} - C:\PROGRA~1\GMMCOM~1\WINDOW~1\WINDOW~1.DLL (file missing)

O4 - HKLM\..\Run: [fuoqeci] "C:\WINDOWS\System32\fuoqeci.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ijrbbpd] C:\WINDOWS\ptcore.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [bcqkgs] c:\windows\system32\bcqkgs.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Ebates_MoeMoneyMaker ←–– Delete this whole folder if it exist!

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\bcqkgs.exe

C:\WINDOWS\System32\packager.exe

C:\WINDOWS\System32\fuoqeci.exe

C:\WINDOWS\System32\vdrdpup.dll

C:\WINDOWS\ptcore.exe

C:\WINDOWS\farmmext.exe

C:\WINDOWS\Pynix.dll

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

I didnt see this in your log, do a search for rndrcus.exe and give me the information from it. Right click and select properties, get as much information as possible and post back with new HJT log.

 

Of the three programs to Add/Delete, only Veiwpoint exists. I have two entries, Viewpoint Manager (Remove only) and Viewpoint Media Player. Should I remove them both?

 

Yes!

 

In processes, I got rid of ptcore.exe, but bcqkgs.exe wouldn't end, then a new one would pop up. I was unable to end it.
Pakager.exe and ViewMgr.exe were not present.

In safe mode,
C:\Program files\Ebates_MoeMoneyMaker did not exist
C:\Program files\Viewpoint did not exist
C:\WINDOWS\System32\Bcqkgs.exe -- deleted
C:\WINDOWS\System32\Packager.exe -- deleted
C:\WINDOWS\System32\fuoqeci.exe -- did not exist
C:\WINDOWS\System32\vdrdpup.dll -- deleted
C:\WINDOWS\Farmmext.exe did not exist, though there was a farmmext.ini (which I did not delete)
C:\WINDOWS\ptcore.exe -- deleted
C:\WINDOWS\pynix.dll -- deleted

Also saw vdrcodec.dll, vdmredir.dll and vdrmux.dll in System32-- didn't touch, just wondering if problem

Ran CCleaner and Spybot -- no immediate threats were found
Ran cleanmgr -- checked Temporary Files, Temporary Internet Files, and Recycle Bin

Rebooted into Normal Windows and scanned with HijackThis.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Information on "rndrcus.exe"

Description: www.abetterinternet.com - Utility for downloading files and upgrading software
Location: C\Documents and Settings\Owner\local Settings\Temp
Size: 60.5 KB
Size on Disk: 64.0 KB
Created: Yesterday, March 24, 2005, 10:56:20pm
Modified: Today March 25, 2005, 12:02:39am
Accessed: Today, March 25, 2005 2:08:31am

Version 2.0.1.2
Copywright: BetterInternet, Inc @2005
Original File Name: Thinstaller.exe
Product name: Thinstaller

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

None of the services you had me try to end are present now. The computer seems to be running well, though it was running well last time and the popups began to creep back. I will have to do some solid browsing to see if I can get the popups to come back, but that will have to wait until tomorrow. It's 3:00am here and I have to get to work tomorrow.

Thanks for all your help,
Scott

 

First:

Delete this file rndrcus.exe

Delete this file as well!

Second:

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.



Just to be safe, lets do the following:

Download Generic Detection Tool - NT/2000/XP

NOW:
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.


Other than the one entry above, your log looks good! Delete those 2 files I mentioned and attach the log from above.

Please do NOT reboot after posting this log, if you do then if the infection exist it will mutate as a different name.

 

Okay, I did the following:

c:\windows\farmmext.ini -- deleted
c:\windows\prefetch\rndrcus.exe- 1E069027.pf -- deleted
C\Documents and Settings\Owner\local Settings\Temp\rndrcus.exe -- did not exist, but we did clean all those temp files last night

Shut down browser and all extraneous programs, ran HijackThis, fixed line
"o2 - BHO: PynixObj Class ....."

Downloaded and ran Generic Detection Tool
The log file is attached.

Thanks!

 

First:
Download the following utility and run it, this will Flush your Prefecth folder.

• Windows XP Prefetch Clean And Control

Second:
Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file vx2fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the vx2fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Third:
Download the following and run it as explained below:

• Pocket KillBox

Now, Copy and Paste C:\WINDOWS\SYSTEM32\in10b6s.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .


After doing ALL of the above, attach me a fresh HJT log along with one more output.txt from the Generic Detection Tool.

 

I flushed the prefetch folder
edited the registry
Ran KillBox -- the file showed up blue and I red x'd it
ran HijackThis and included the log file
ran Generic Detection Tool and included the output file

Are we having fun yet?

 

Both logs look good to me!

Are you having any further problems?

 

So far, so good. The computer seems quicker, too.

Thanks for all your help.....I know I couldn't have done it without you!

Scott

 

Good Deal!

You should now follow this article and get all updated How to Protect yourself from malware!

Browse Safely!

 

Did that yesterday. Not gonna happen to me again!

Thanks again!
Scott

 

!