Spyware and popup problems, have followed READ ME FIRST

I am having trouble with popups, very slow boot up and random links on webpages. I had begin2search toolbar and highlighted links on every page. After following all of the steps on the READ ME FIRST post I am still getting popups and links on pages (i.e. the work "computer" is doulbe underlined and mousover brings up a "This is a Sponsored Link" rectangle. Many words do this). The steps in Read me first got rid of begin2search and the highlighted words though. Below is a list of things that were removed or fixed in each of the steps in the Read me first doc. I didn't include the AdAware log, because it removed 291 items. Any help with this would be greatly appreciated. I have the newest version of Hijack This and can attach the log if that will be of help.

Thank You in advance.

Here is the log from the READ ME FIRST steps:

Trend Micro Online Scan:
Troj Istbar.X non-cleanable
Troj Lalus.A non-cleanable
Troj Agent.EG non-cleanable (4 copies)
BKDR IROFFER.A non cleanable
*****All 7 deleted*****

Symantec Security Scan:
Security Status:Safe

McAfee Avert Stinger Log:

McAfee AVERT Stinger Version 2.4.0.3 built on Sep 28 2004
Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on Sep 28 2004. Ready to scan for 43 viruses, trojans and variants.
Scan initiated on Tue Oct 05 10:31:56 2004

C:\WINDOWS\SYSTEM32\wins\SVCHOST.EXE
Found the W32/Nachi!tftpd virus !!!
C:\WINDOWS\SYSTEM32\wins\SVCHOST.EXE has been deleted.
Number of clean files: 200847 Number of infected files: 1
Number of files deleted: 1

Spybot Scan Results:

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\S-1-5-21-606747145-1957994488-748035971-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

GoldenPalace.Casino: Autorun settings (oleaccrc) (Registry value, fixed)
HKEY_USERS\S-1-5-21-606747145-1957994488-748035971-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oleaccrc

 

please attach your log.

 

I think I got most of it by following the guides in the HJT tutorial, but there were several that I was unsure of.

Thanks for the quick response.

 

Things seem to be better now. I haven't had a popup yet. However, the extra button and extra tools item came back after reboot.

No, I don't recognize those two processes you asked about.

There was no file in explorer C:\WINDOWS\Kfqxnekj.dll, there was a C:\WINDOWS\Kfqxnekj.INI. Should this be deleted?

Also there was no c:\program files\180solutions at all.

I have attached a new HJT log.

thanks so much for you help.

 

I would get rid of these

O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)


for chas:

i'm leary of this too

O4 - HKLM\..\Run: [SystemTray] SysTray.ExE

Dunno why it would be listed there. Of all the logs I've seen, I've never seen it listed. Makes me pop a red flag.
y

 

I have gotten rid of both of these twice and they come back with each restart. Is there a manual method to remove these from IE?

Thanks

 

That seems to have my problems wrapped up.

Thanks to Chas and Kodo for your help today.

 

well, lets see what happens after he merges the reg.

 

Here is new log.

 

systray.exe was only found in c:\windows\system32
Version:5.0.2139.1
size: 3.76 KB (3,856 bytes)
size on disk: 8.00 KB (8,192 bytes)

I don't recognize these files.

C:\WINDOWS\SYSTEM32\DNTUS26.EXE
Description: DameWare Development Remote Command Server
version: 3.69.0.7
size: 72.0 KB (73,728 bytes)
size on disk: 72.0 KB (73,728 bytes)

C:\WINDOWS\SYSTEM32\DWRCS.EXE
Description: DWRCS
version: 3.69.0.7
size: 228 KB (233,472 bytes)
size on disk: 232 KB (237,568 bytes)
Company Name: DameWare Development

Both of these files were created in Jan, 2003, which was before I was using this computer, so it isn't somthing I put on here. I hope this is enough info.
Thanks.

 

Chaslang or Kodo,

Am I in the clear now? If so, thanks for all the help.

Publius