Frustrated!!! Really need help

Question

Tried everything I know to get rid of pop-ups including ad-aware, spybot and Mcafee. It deletes them but then they come right back sometimes even more of them. How in the world do new ones show up even when I'm not logged onto the internet? I also have three new icons on the desktop that appear to be internet shortcuts, they are labeled: 'clean your credit', 'online pharmacy' and one other. I am completely baffled as to how to remove these. I have tried the trash can and everything else to no avail. How did they get there, how do I remove them and are they part of my problem here? I would be grateful for any advice.  I did scan with hijack this and here it is: Can anyone tell me what in the world is going on here? Logfile of HijackThis v1.97.7Scan saved at 10:33:23 PM, on 6/5/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\WINDOWS\system32\drivers\dcfssvc.exec:\PROGRA~1\mcafee.com\vso\mcvsrte.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\system32undll32.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\PROGRA~1\mcafee.com\vso\mcvsshld.exeC:\Program Files\QuickTime\qttask.exeC:\documents and settings\david r. melk\local settings	emp\StQ.exeC:\WINDOWS\System32\jkhqrjzw.exeC:\PROGRA~1\Bleh the time\Poll date build.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exec:\progra~1\mcafee.com\vso\mcvsescn.exec:\progra~1\mcafee.com\vso\mcvsftsn.exeC:\PROGRA~1\eZula\mmod.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exec:\PROGRA~1\mcafee.com\vso\mcshield.exeC:\PROGRA~1\VBouncer\VIRTUA~1.EXEC:\Documents and Settings\David R. Melk\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.htmlR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO1 - Hosts: 207.36.196.189 auto.search.msn.comO1 - Hosts: 207.36.196.189 search.netscape.comO1 - Hosts: 207.36.196.189 ieautosearchO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dllO3 - Toolbar: Phonemultitray - {A3401940-1724-338C-580C-36DBB14DD031} - C:\PROGRA~1\grimthis\heck defy.dllO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exeO4 - HKLM\..\Run: [VSOCheckTask] 'c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe' /checktaskO4 - HKLM\..\Run: [VirusScan Online] 'c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe'O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [efal] C:\WINDOWS\efal.exeO4 - HKLM\..\Run: [StQ] C:\documents and settings\david r. melk\local settings	emp\StQ.exeO4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exeO4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\PcwbkiJQ.exeO4 - HKLM\..\Run: [w7oS3pO] upnenum.exeO4 - HKLM\..\Run: [nzrzjxskbmzry] C:\WINDOWS\System32\jkhqrjzw.exeO4 - HKLM\..\Run: [HtmReal] C:\PROGRA~1\Bleh the time\Poll date build.exeO4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /backgroundO4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0O4 - HKCU\..\Run: [MProcessor] 'C:\Program Files\MProcessor\mprocessor.exe'O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exeO4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exeO4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exeO9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)O9 - Extra button: Messenger (HKLM)O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)O9 - Extra button: Real.com (HKLM)O9 - Extra button: MoneySide (HKLM)O9 - Extra button: Messenger (HKLM)O9 - Extra 'Tools' menuitem: Messenger (HKLM)O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cabO16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CABO16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CABO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

aero654 · Answer

Thank you, I created a folder and moved it in there. I have the scan log in 'my documents' should I move that in there as well and delete it from my documents?  Can you tell what is going on with my system?

pskelley · Answer

Important: Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Move HijackThis into this folder. When you run HijackThis from this folder and have it 'Fixed checked' it will create a backup file of modifications to use if restore is necessary. Please delete the old copy so it can't be used.

Navin kurian · Answer

Run spybot 1.3 http://www.safer-networking.org/index.php?page=mirrors

then delete

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O4 - HKLM\..\Run: [efal] C:\WINDOWS\efal.exe
O4 - HKLM\..\Run: [StQ] C:\documents and settings\david r. melk\local settings\temp\StQ.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\PcwbkiJQ.exe
O4 - HKLM\..\Run: [w7oS3pO] upnenum.exe
O4 - HKLM\..\Run: [nzrzjxskbmzry] C:\WINDOWS\System32\jkhqrjzw.exe
O4 - HKLM\..\Run: [HtmReal] C:\PROGRA~1\Bleh the time\Poll date build.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

then run cwshredder

http://www.spywareinfo.com/~merijn/downloads.html
http://www.spywareinfo.com/~merijn/htlogtutorial.html

Virus & Spyware

Was this post helpful?