Sixty Six Got Smileys? pop up problem

I have read the "read me first before asking for support" and it was very helpful. What a great resource. I complied with all the instructions and it resolved 99% of my misery. I have run all downloaded software at least 3 times over the past two days.
However, I still have HuntBar and a pop up ad which displays a field of smilies. In the upper left hand corner is displayed "sixty six" (quote marks added). Under the field of smilies is GOT SMILEYS? Below that is a blue rectangular button that states GET FREE SMILEYS.

The log in Hijackthis displays a line:
O4-HKLM\..\run[sixtysix]C:\Windows\sixtypopsix.exe

Am I safe deleting the above line?
What about HuntBar?
Thanks.
sickputer

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Log is attached.
Thanks
Sickputer

 

First:

Why are you running 2 instances of HJT?

C:\Documents and Settings\Gil\Desktop\Spyware Tools\HijackThis.exe

C:\Program Files\HijackThis.exe

Only run the one located in the Program Files directory!


Second:

Please look in Add or Remove Programs for the following and Uninstall them if found:

Viewpoint

PanicWare

wsxsvc


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


ViewMgr.exe

wsxsvc.exe

sixtypopsix.exe



Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [jgnmh] C:\WINDOWS\jgnmh.exe
O4 - HKLM\..\Run: [wbyv] C:\WINDOWS\wbyv.exe
O4 - HKCU\..\Run: [lftif11n] C:\WINDOWS\System32\lftif11n.exe

O9 - Extra button: Support - {41C81E4A-E6F3-4ED9-88F4-073724A9E385} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {D5A4DCCE-03AD-492F-B382-CD3E74148D49} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {FC910F19-B23E-4C90-94C2-95BE18D22FF6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.Shortcu tGadget/LocalExec.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/232770c64fe295a95c15/netzip/RdxIE601.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.5/ttinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\Program Files\Panicware ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\wsxsvc ←–– Delete this whole folder if it exist!

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\lftif11n.exe

C:\WINDOWS\wbyv.exe

C:\WINDOWS\jgnmh.exe

C:\WINDOWS\sixtypopsix.exe


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

I didn't realize two HJT were running at the same time. How do I get rid of the extracted earlier version in my Spy Ware folder? Add/Remove Programs only operates in Program Files, not in the Spy Ware folder. Also, Note Pad is corrupted and I can't read the saved hijackthis.log. When I save the log to attach and send to the forum, does it replace the earlier log or are you getting both? Once I get these matters resolved, I will follow your instructions.

Thanks.
sickputer

 

It will attach a new log, it will not over write the old one. To delete the other HJT just right click and delete it.

Will be awaiting new HJT log.

 

Here's the new log.
Thanks,
sickputer

 

Was you able to complete all my steps sucessfully? I notice a few items returned that shouldnt have.

 

Please look in Add or Remove Programs for the following and Uninstall if found:


wsxsvc



Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see any it, try to END it:


wsxsvc.exe



Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [jgnmh] C:\WINDOWS\jgnmh.exe
O4 - HKLM\..\Run: [wbyv] C:\WINDOWS\wbyv.exe
O4 - HKCU\..\Run: [lftif11n] C:\WINDOWS\System32\lftif11n.exe

O9 - Extra button: Support - {41C81E4A-E6F3-4ED9-88F4-073724A9E385} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {D5A4DCCE-03AD-492F-B382-CD3E74148D49} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {FC910F19-B23E-4C90-94C2-95BE18D22FF6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab

O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.Shortcu tGadget/LocalExec.CAB

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/232770c64fe295...//download.toontown.com/sv1.0.13.5/ttinst.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab


Again, make sure All Browser Windows are Closed when you Click FIX.



NEXT:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file mediafix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the mediafix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


NEXT:


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file popfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the popfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\System32\wsxsvc ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\lftif11n.exe

C:\WINDOWS\sixtypopsix.exe

C:\WINDOWS\jgnmh.exe

C:\WINDOWS\wbyv.exe


NEXT:
Run CCleaner


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

The second log I sent was the log run after deleting the earlier version. Since then I have followed your instructions without difficulty, checked off the bad lines and fixed with HJT. I then booted into SafeMode and deleted several of the folders and files specified while Viewing of Hidden Files & Folders Enabled. I ran CCLeaner, Spybot, cleanmgr.

Here's my log after following your second set of instructions (but not your last). Running Spybot found Huntbar and Viewpoint. Only Viewpoint was fixed.

Your last set of instructions will give me a problem as my Note Pad doesn't fully function. I can save HJT's scan, but Note Pad won’t execute or retrieve. I've tried to reinstall Note Pad from my Word disks (Office XP Std. for Students and Teachers), but Microsoft won't recognize the flippin' Product Key. Any suggestions how to add the quote without doing a line by line typing?

Thanks,
sickputer

 

Log is clean!

Notepad doesnt have anything to do with Office. Are you saying when you click Start, All Programs, Accessories and click on NOTEPAD it will not open?

If so, right click on NOTEPAD and make sure the target is set at:

%SystemRoot%\system32\notepad.exe

 

Thanks for the help in cleaning my log. It is wonderful not seeing a bunch of smilies dancing on my screen. However, after right clicking NOTEPAD in Accessories, it won't accept %SystemRoot%\system32\notepad.exe in the target box (behind C:\WINDOWS\) "The name 'C:\Windows\%SystemRoot%\system32\notepad.exe' specified in the target box is not valid. Make sure the path and file name are correct." I also tried %SystemRoot%\system32\notepad.exe alone with the same result. The current target is C:\Windows\System32\ACTMOVIE.EXE.
Tnx agn,
sickputer

 

Thats why your NOTEPAD isnt working, right click it and change the target location to: C:\WINDOWS\notepad.exe

See if this doesnt take care of your problem.

 

Bingo! That fixed Note Pad.
Should I now add the quotes that you compiled in msg. #9?
Thanks!
notsosickputer

 

If that fixed it, leave it!

Are you having any other problems?

 

That fixed it! I can continue fixing it until it's broken again. Thanks, very much.

 

Your Welcome!

Let me know how the rest of your fix goes.