searchingbooth, etc won't stop, PLEASE HELP!!

no one has been able to help me thus far, so i'm trying to see if majorgeeks.com can help. pop-up ads won't stop coming and in the span of 30 seconds, i can have at least 60 of them on my screen, most of them coming from searchingbooth.com, but with some on-line gaming sites thrown in there as well. i have tried running msconfig and disabling all the startup programs (and i've also disabled system restore), just to see if that changes anything, but somehow they all re-check themselves and become part of my startup process once again. i have updated versions of symantec antivirus, adaware, and spybot search and destroy and every time i run one of those, they clean some files and say that rebooting my computer and running the scan again should take care of the other problems, so i reboot, the scan runs, and it doesnt solve anything, only to have my screen bombarded with popups again. here is my HJT log.
i would be SO grateful if anyone could please help me!!
thank you!!
*minerva*


Logfile of HijackThis v1.99.1
Scan saved at 7:44:14 AM, on 3/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Good Morning minerva,
Did you complete all of the steps in the tutorial below ?

http://forums.majorgeeks.com/showthread.php?t=35407

There alot of steps in here that would help you. You should follow the directions carefully and post any problems you have with them. It gives the pros here somewhere to start at. Also don't post you HJ log inline you need to do it as an attachment.
Good Luck
T.Blue

 

thanks for your quick reply. unfortunately, after running all of the scans listed on that link you sent me, it doesn't seem like much (if anything has changed). i'm attaching my HJT log (or at least i'm going to try).
what do you suggest i do next?
thanks!
*minerva*

 

hi minerva,
you need to create a new folder for HJT . It needs to be in its own folder.
C:\Program Files\HJT
After doing that run another scan & repost your log as an attachment. One of the pros (Chase, Phillie, BJ or The Old Thug)will be glad to help you.

Good Luck,
T.Blue

 

ok, done and done. is it ok that i'm saving over the previous hjtlog with every new one or should i keep them all separate from one another?
i'm attaching the new log.
thanks,
*minerva*

 

Allow me a moment to post you a fix.

 

First:

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

Second:

Please look in Add or Remove Programs for the following and Uninstall them if found:

flyduy2k

SEP

WeatherBug


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


tQl.exe (Two Processes)

pigotvvweo.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)

O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (disabled by BHODemon)
O2 - BHO: (no name) - {0138D5A1-62DB-465B-883D-E0C14CC366EC} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {0138D5A1-62DB-465B-883D-E0C14CC366EC} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {02BDF78E-3E91-4E93-B0CF-AB7E06AD52E3} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {054B664F-F55F-4E6A-BBCC-AEED3E1498C8} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {074B2976-C2FC-4EC1-AEF1-E69D9B0384D5} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {09C042D4-6F83-4D2D-A553-F1B1DFE2B9E6} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {0A5EBC46-8D24-4387-AB83-533E22C43136} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {20C4B289-802B-475F-AB05-962A7CBB5642} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {21EDC432-4766-4CE7-A5A2-6C8163127DD1} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {2A7EE29A-CAF6-49CE-BAE2-07E70EFCF112} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {3AC66660-7141-4A22-820B-489248C61145} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {3BE8D24A-FAF3-4858-BEA6-2C7265A63B05} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {431E14C3-2434-4DD4-B76D-CC65F5A0663C} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {43A1CDBA-0819-43F9-827D-A6EA9FDDC401} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {444640E5-225F-4010-A3AA-0B25F199552B} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {545FC044-EC40-4510-A964-42E258B66845} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {55CCE6FF-F7E7-490F-AB06-8C1A4D550C85} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {574F4600-D11D-451D-9A96-02D80C54F1A4} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {5B8BAE99-8EE6-4336-A065-59BB4FB4C52F} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {5CDEF00D-2172-4DC6-B708-F9B578F90CA4} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {5CF53C38-06FB-4AB7-9E88-8C0A9E7CC8C8} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {60E1F5F6-0151-4EE0-AA75-DEC2BA0AE722} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {650B9FBB-11DC-4BAD-8917-BFB522C881E9} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {70FFE5FE-A788-4F08-8A8D-C6C58F28DA7A} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {75E81D36-6539-4CA5-B07D-F0B74DFD2F89} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {76051965-7C7D-425A-AD05-9526BE84BD21} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {772E1CD6-DE7F-4336-A7CF-B4CA6363001F} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {7FD77F91-0B50-4DB7-93CC-4A606F1FDDCA} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {848A2D2D-E6FC-4EB7-B352-00D311F6B6D6} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {8AD3195A-5150-4FF7-8E90-9E4FA7FE5193} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {99B3E246-40AE-4CD1-B29D-12B0942094BB} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {9BB59593-B9BC-4EDB-8F86-76D2DE6987C1} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {A4DF0BF3-42DB-4415-9167-70C272EB8272} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {A5CFAAA2-F275-49CD-BFE6-334F7E6CCB05} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {B041E3EB-1C69-409F-A8E5-3A7E715ED7AC} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {B62C0125-FD18-49B8-A9AB-10B453901760} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {B6A916D2-A489-446A-88B6-91EE40BF6D58} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {BA3B2F45-4F75-472F-B0A4-F51F157DCB98} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {CFFFB653-8C9D-45C7-90A7-C6F83899A75D} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {D85323CC-E542-4718-A798-0969A7C420DB} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E582CD51-BEBC-4C33-9B25-61725B82AA4B} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E7B91AC6-C340-42C5-A8BC-8FEDD98DCF46} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E7DFA1EA-E323-46B2-BE14-AA9282475F58} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {F38D588B-CBC6-40E0-A2A6-5A140C94BB08} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {F5A2D65B-608B-4680-AA84-853CE99F299D} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {F92E78F2-B65A-4156-A919-9BC0F5ED0070} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)
O2 - BHO: (no name) - {FDDA854C-71B0-4D6A-A753-5F756F27A25A} - C:\Program Files\flyduy2k\flyduy2k.dll (disabled by BHODemon)

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [tQl.exe] C:\windows\system32\tQl.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {5D2CF9D0-113A-476B-986F-288B54571614} (DevalVRX) - http://www.devalvr.com/instalacion/plugin/devalocx.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0022.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\Program Files\flyduy2k ←–– Delete this whole folder if it exist!

C:\Program Files\SEP ←–– Delete this whole folder if it exist!

C:\Prorgam Files\Weather Bug ←–– Delete this whole folder if it exist!

C:\WINDOWS\SYSTEM32\tQl.exe

C:\WINDOWS\system\pigotvvweo.exe

C:\WINDOWS\dlmax.dll

C:\WINDOWS\SYSTEM\blank.htm


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


NOW:
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

ok so i did all that stuff you just listed, and there were a couple of things i couldn't change (but since you said "if found," i'm assuming that, in my case, i just didn't find them, and that's ok).

in the second step, i couldn't find "flyduy2k" in add/remove programs.
then, near the end, just before running CC cleaner, under program files, i couldnt find the folders of SEP or WeatherBug, and in C:\Windows, i couldn't find dlmax.dll and blank.htm (in C:\Windows\System).

is weatherbug a bad program to have installed? if so, what is a good weather-updater that you would recommend?

all weather talk aside for the moment, though, here's the new HJT log.
what do you think?

*minerva*

 

I use Weather Watcher 5.6 and I love it!

Do you have hidden files and folders enabled?

 

Now scan with HijackThis and Check the Box for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [tQl.exe] C:\WINDOWS\SYSTEM32\tQl.exe

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following file:

C:\WINDOWS\SYSTEM32\tQl.exe


NEXT:
Run CCleaner


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

i didn't find the file after i booted into safe mode. but the rest of it went fine.
here's the new HJT log.
thanks!

 

Log is clean!

Are you currently experiencing any further problems?

 

so far, so good!
you're good!!
thanks SO much, from both me and my sanity,
*minerva*

 

Good Deal!

You should see this thread on How To Protect Yourself From Malware!