PopUps/Spyware HELP Needed!!!!!

[Vinny]

Hi Guys

I'm a bit of a novice when it comes to computers, however in the last few days my PC has slowed down a lot, especially when I am browsing the internet & also I am getting a lot of popups, even on sites that I know do not have popups..........so I'm assuming that something has been installed on my computer.

I'm running Windows 98 & I had a quick look in Add/Remove Programs, but I can's see anything unusual there.

I downloaded 'Hijack This' after reading about it on this forum, and this is the results of the scan :


Logfile of HijackThis v1.97.7
Scan saved at 19:14:33, on 29/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
D:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\DOWNLOADWARE\DW.EXE
D:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\OBEXECJ.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\VINODS\VARIOUS\DOWNLOADS\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://h28144.find-quick.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lop.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://h28144.find-quick.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lop.com/searchbar.html
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.yahoo.com"); (D:\Program Files\Netscape\Users\v11nny\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {D44B5436-B3E4-4595-B0E9-106690E70A58} - C:\WINDOWS\APPLICATION DATA\PLG_IE0.DLL
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.EXE
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OBEXECJ] C:\WINDOWS\SYSTEM\OBEXECJ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: RealDownload.lnk = D:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\Vstascan\VsAccess.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://66.28.45.60/Download_Plugin.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - https://download.macromedia.com/pub/...irector/sw.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://myauctiontrainerevents.webex...ex/ieatgpc.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab


Hope someone can help me & thanks in advance guys

[FatalException0E]

Ad-Aware, www.lavasoftusa.com

Install it, update it, then scan. It'll get rid of all that stuff. the google toolbar is good for popups that are from a web page, rather than the adware. Spybot is supposed to work pretty well, too, but I don't know the site for it

[geoscomp]

Spybot S&D homepage is :
http://www.safer-networking.org/

the two together work better than either one by itself. After you have downloaded those two and updated them and fixed what they find, stick HijackThis in a folder of its own on the desktop and run it again and post the results

[NooNoo]

Uhhh he has lop - Spybot MUST be updated on line to deal with this effectively!!!

[geoscomp]

Uhhh he has lop - Spybot MUST be updated on line to deal with this effectively!!!

Yep..thats why i said download them and update them and fix what they find...there are a bunch of other entries there as well, but most of them will be eliminated with spybot and ad-aware

[FatalException0E]

...and remember, if all else fails, there's this handy utility that removes ALL malicious software from your computer. Its called FDISK

[Vinny]

Thanks for all the help so far.

I downloaded Spybot & Ad-Aware. I updated Spybot & ran it without any problems.

However with Ad-Aware, it works fine before I download an update. After I downloaded the update & ran it, it keep on crashing when getting to "C:\WINDOWS\cookies......."

I also cleaned out all my internet cookies/files in control panel>internet options.........however there was one cookie that I can not delete for some reason, below is what is in the cookie, not sure if it is relevant to my problem

tagtext="<a href=http://servedby.advertising.com/click/site=0000070800/mnum=000

Also ever since I've started having trouble with these popups, I've noticed that as soon as I switch my computer on, the dial up box to connect to the internet will come up.............as if something installed on my computer is trying to connect to the internet!!!

When my computer has been powered on, by pressing CTL-ALT-DEL the following applications show up as running :

Creative Launcher
Explorer
InCd
Stimon
Loadqm
Dragdiag
Systray
Rnaapp
Vsaccess
Ahqtb

As far as I can recall, I have seen them all there before any of the popup problems & the dial up connection box appearing on start up, problems had started.


Here is a result of a new Hijack scan that I have just run. It seems to have got rid of a lot of stuff from my original scan :

Logfile of HijackThis v1.97.7
Scan saved at 01:10:56, on 30/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
D:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
D:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.yahoo.com"); (D:\Program Files\Netscape\Users\v11nny\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.EXE
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [P_950C] C:\WINDOWS\SYSTEM\P_950C.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: RealDownload.lnk = D:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\Vstascan\VsAccess.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - https://download.macromedia.com/pub/...irector/sw.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://myauctiontrainerevents.webex...ex/ieatgpc.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab


Any ideas on why Ad-Aware may be crashing when scanning C:\WINDOWS\cookies.......?

Also how do I stop getting the dial up connection box coming up everytime my PC powers on?

Thanks again guys

[geoscomp]

Have you tried to start in safe mode and remove the cookie that way? Use the admin logon in safe mode and see if it works. Meanwhile, remove the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

[Vinny]

Have you tried to start in safe mode and remove the cookie that way? Use the admin logon in safe mode and see if it works. Meanwhile, remove the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

Thanks for all your help.........have not had any popups since following your advice.

The dial up connection box & Cookie which has made itself at home, are still there........however I can live with that.

Also thanks to everyone else who shared there vast knowledge of information to help me eradicte this problem