HELP!! i am having pop up trouble and desperately need help

i'm at work....i used to do my free sites from work, but lately i've been getting popups pretty bad. i tried downloading the google and yahoo popup blocker toolbars, but they wont show up in IE.

i run Spybot every day and the same adaware comes up. i run yahoo anti-spy every day, and the same adaware comes up. my Symantic also runs every day and brings up a trojan in the file winnt/system32/installer.exe. it can't be quarrantined or deleted.

i've recently drastically reduced my surfing at work to just wedding websites, hotmail, and online banking. the rest i do at home (where i oddly dont get any popups).

today....i got some full-fledged plirn popups.....i'm freaking out. cuz im at work.

i cant download weird programs online to clear up my computer, only free ones like yahoo anti-spy.

can someone tell me what to do to stop this sh!t ? i dont want to get in trouble...i never access "questionable" sites.....but now the popups, which i can't get rid of, are questionable.

i need to take care of this asap. get rid of popups, the trojan, and the spyware if possible.

Download Hijackthis from here http//www.spywareinfo.com/~merijn/downloads.html and post the log. Also, I wouldn't recommend doing any more online banking or password-sensitive browsing until you get that trojan off your PC.

P.S. What's the name of the trojan Symantec says you have?

here is the screenshot of what symantec gives me about the trojan
http/" alt=""/img.photobucket.com/albums/v134/dubdubgirl79/Random/symantec.jpg[/imgcb658d974c]

and here is the HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 85708 AM, on 7/13/2005
Platform Windows 2000 SP4 (WinNT 5.00.2195)
MSIE Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes
C\WINNT\System32\smss.exe
C\WINNT\system32\winlogon.exe
C\WINNT\system32\services.exe
C\WINNT\system32\lsass.exe
C\WINNT\system32\svchost.exe
C\WINNT\system32\spoolsv.exe
C\Program Files\Intel\ASF Agent\ASFAgent.exe
C\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C\WINNT\system32\svchost.exe
C\WINNT\system32\installer.exe
C\WINNT\system32\drivers\KodakCCS.exe
C\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C\WINNT\system32\regsvc.exe
C\Program Files\RDS\RsiSvc.exe
C\WINNT\system32\r_server.exe
C\Program Files\RDS\srscandr.exe
C\WINNT\system32\MSTask.exe
C\WINNT\system32\stisvc.exe
C\Program Files\RDS\ddsschednt.exe
C\WINNT\System32\WBEM\WinMgmt.exe
C\WINNT\Explorer.EXE
C\WINNT\system32\hkcmd.exe
C\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe
C\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C\WINNT\system32\svchost.exe
C\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C\WINNT\system32\rlkzzu.exe
C\WINNT\system32\Klrhmg.exe
C\WINNT\system32\internat.exe
C\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C\Program Files\Microsoft Office\Office\POWERPNT.EXE
C\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE
C\Documents and Settings\AKohls\Desktop\HijackThis.exe
C\Program Files\Common Files\Microsoft Shared\PhotoEd\PHOTOED.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http//searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http//www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http//red.clientapps.yahoo.com/customize/ycomp/defaults/sb/lihttp//www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http//red.clientapps.yahoo.com/customize/ycomp/defaults/sp/lihttp//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http//www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http//default-homepage-network.com/start.cgi?new-hklm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http//red.clientapps.yahoo.com/customize/ycomp/defaults/su/lihttp//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.27.2.308080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = apps.odl.com;forms.odl.com;ocsmidtier.odl.com;ocsstorage.odl.com
;<local>
R3 - URLSearchHook (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C\WINNT\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run [IgfxTray] C\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run [HotKeysCmds] C\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run [sethook] cmd /c start /min cmd /c c\dell\src_path.cmd
O4 - HKLM\..\Run [SunJavaUpdateSched] C\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run [CreateCD50] "C\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run [AdaptecDirectCD] "C\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run [vptray] C\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run [iexplore] C\WINNT\system32\iexplore.exe
O4 - HKLM\..\Run [mswspl] C\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run [Zig] C\WINNT\Saklbcd.exe
O4 - HKLM\..\Run [QuickTime Task] "C\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run [PSof1] C\WINNT\system32\PSof1.exe
O4 - HKLM\..\Run [regsync] C\WINNT\system32\regsync.exe
O4 - HKLM\..\Run [checkrun] C\winnt\system32\elitergn32.exe
O4 - HKLM\..\Run [KavSvc] C\WINNT\system32\rlkzzu.exe reg_run
O4 - HKLM\..\Run [cfgmgr52] RunDLL32.EXE C\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run [374g34g] dbntcli.exe
O4 - HKLM\..\Run [secure] C\WINNT\system32\Klrhmg.exe
O4 - HKLM\..\Run [laltin] C\WINNT\system32\L90112201.Stub.exe
O4 - HKLM\..\RunOnce [Pest Cleaning] "C\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "virtumonde" "2"
O4 - HKCU\..\Run [Internat.exe] internat.exe
O4 - Global Startup Adobe Gamma Loader.lnk = C\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup Kodak EasyShare software.lnk = C\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup Kodak software updater.lnk = C\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup Microsoft Office.lnk = C\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup Start Delivery Services.lnk = C\Program Files\RDS\DdsLaunch.exe
O8 - Extra context menu item &Google Search - res//C\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item &Translate English Word - res//C\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item Backward Links - res//C\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item Cached Snapshot of Page - res//C\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item Similar Pages - res//C\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item Translate Page into English - res//C\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http//downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http//ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https//secure.stamps.com/download/us/registration/3_0_0_834/sdcregie.cab
O16 - DPF {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http//us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http//by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http//www.atelys.com/src/Speedup.ocx
O16 - DPF {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http//dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http//www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http//forms.odl.com8003/jinitiator/oajinit.exe
O16 - DPF {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - https//secure.stamps.com/download/us/cab/stamps/stamps.cab?r=0.409881591796875&file=stamps.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{480D265A-54A9-49D0-BD2A-4128CB10E625} NameServer = 172.27.2.30,192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{480D265A-54A9-49D0-BD2A-4128CB10E625} NameServer = 172.27.2.30,192.168.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{480D265A-54A9-49D0-BD2A-4128CB10E625} NameServer = 172.27.2.30,192.168.1.5
O20 - Winlogon Notify igfxcui - C\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify NavLogon - C\WINNT\system32\NavLogon.dll
O23 - Service ASF Agent (ASFAgent) - Intel Corporation - C\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C\Program Files\RDS\ddsschednt.exe
O23 - Service DefWatch - Symantec Corporation - C\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C\WINNT\System32\dmadmin.exe
O23 - Service Installer Service (Installer) - Unknown owner - C\WINNT\system32\installer.exe
O23 - Service Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C\WINNT\system32\drivers\KodakCCS.exe
O23 - Service Intel NCS NetService (NetSvc) - Intel(R) Corporation - C\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service ptssvc - KODAK - C\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C\Program Files\RDS\RsiSvc.exe
O23 - Service Remote Administrator Service (r_server) - Unknown owner - C\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service ScanRouterDriverV2 - Ricoh Co.,Ltd. - C\Program Files\RDS\srscandr.exe
O23 - Service SOption - RICOH Company Ltd. - C\Program Files\RDS\SOption.exe

To remove the trojan, follow these steps

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) or VGA mode (Windows NT).
Run a full system scan and delete all the files detected as Download.Trojan.
Clear Internet Explorer History and files, if needed.

Check internat.exe and make sure it isnt one of the viruses/worms listed in this page http//startup.iamnotageek.com/srch-internat.exe.html . Also, what are Klrhmg.exe and rlkzzu.exe ? Couldn't find any info on them on google.

As for the spyware, go here http//www.simplytech.it/ETRemover/ETRemover_v130.zip , that will remove the "Eilite Toolbar". Not sure what Saklbcd.exe nor dbntcli.exe is, should look into that.

Download
mwavscan mwav.exe - http//www.spywareinfo.dk/download/mwav.exe
(MUST!) Unzip the 'mwav.exe' into a new to create directory 'c\bases' (!).
Use 'kavupd.exe' to get the latest signatures (MUST!).
If you 'hear' that the signatures are more than 30 days old, stay trying.
You will get the actual signatures. Keep trying!

Disconnect to the Internet.
(MUST!) Turn to safe mode.

Delete the content of all temporary folders

Go to START > run and type cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Press OK to remove them.

Go to START> run> type %temp% and press [enter]. Do this for every user.

Go to START>Control Panel>Internet Options>tab programs> and click restore websettings.

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

Delete the whole content of C\Documents and Settings\Your Name\Local Settings\Temp <== this folder.

Using BHOList (http//computercops.biz/zx/Merijn/bholist.zip), disable any BHO's like EliteToolbar, making sure internet explorer is closed during all this. Using Hijackthis check boxes, remove any entries i've said above plus [PSof1] C\WINNT\system32\PSof1.exe, [regsync] C\WINNT\system32\regsync.exe, [checkrun] C\winnt\system32\elitergn32.exe, [cfgmgr52] RunDLL32.EXE C\WINNT\cfgmgr52.dll,DllRun , and [laltin] C\WINNT\system32\L90112201.Stub.exe, making sure that all these processes are shut down first via task manager. Click "Fix Checked" and close Hijackthis. Then manually go to the location of the above said programs and delete each one of them. After that, close down any other programs and start a full scan with mwavscan.com in C\bases, making sure to select memory, startup-folders, drives, registry, ini files, system folders, and services. CLick "Scan clean". When its done, view the log and save it.

Reboot into back normally, and post the mwav log and a new hijackthis log. Might take some time to do all this, but it should get rid of everything.

Disclaimer Anything and everything I said is my opinion as what might fix this problem. If your computer gets fried/raped/destroyed/formatted/turns homo in anyway, I am not responsible for it. kthx

P.S. Get on AIM if you need me to walk you through any of the steps.

ok i printed out your instructions.
i'll be on aim.....
hotgirlhotvw (i cant bring up your ID so please im me)

thanks!

comppimp--
i cant seem to get back on AIM...when i try to im, the window appears and disappears.

anyways.
i emailed you the last Hijackthis log and a screen shot of an error i got on startup.

Woah... Comppimp, very detailed. Good job with that.

comppimp has been walking me through this on aim all day.....

he deserves 1kadgillion karma points for helping me out!!

Well I'm sure he could give that to himself. ;)

Can you log into Aim Express (www.aim.com) and use that?

Or if you have yahoo/msn, PM me your screename on that.

i use aim express normally....and i can log in and everything but when i try to pm, the pm window comes up and then goes away. been like that for a while now....my buddy list appears, but the little menus dont appear at the top.

i cant do regular aim or another chat program.
everythings blocked here

do you see me on aim?
if so, try and pm me

Does the IRC java applet (http//www.freeipodguide.com/?ops=chat) work for you?

java chat on other websites doesnt work, so i doubt it will here

Ok, i'll do it through PM's then.

Yeah this thread is like a little conversation between you two.

DANG it did work.
i'm in the chat i guess lol

This is what I would recommend for pop up troubles. wink

http//www.orexis.com/images/bigbox.jpg[" alt=""/img783b36fd2e]

[quote7c0a88b99a="Batman"]This is what I would recommend for pop up troubles. wink

http//www.orexis.com/images/bigbox.jpg[" alt=""/img7c0a88b99a][/quote7c0a88b99a]

AH!!! AN OFFER OF D00M!!!!!

[quoteec567b28b2="J4320"][quoteec567b28b2="Batman"]This is what I would recommend for pop up troubles. wink

http//www.orexis.com/images/bigbox.jpg[" alt=""/imgec567b28b2][/quoteec567b28b2]

AH!!! AN OFFER OF D00M!!!!![/quoteec567b28b2]


There are free trials wink

[quotee9f7627de7="CoMpFrEaK"][quotee9f7627de7="J4320"][quotee9f7627de7="Batman"]This is what I would recommend for pop up troubles. wink

http//www.orexis.com/images/bigbox.jpg[" alt=""/imge9f7627de7][/quotee9f7627de7]

AH!!! AN OFFER OF D00M!!!!![/quotee9f7627de7]


There are free trials wink[/quotee9f7627de7]

Well than it's the best of the offers of d00m. It's still an offer of d00m though.