Help... Mystery Popup Virus?? (0/1)

[SS]

Hi...

Running:

WinXP Pro 5.1.2600 SP2 build 2600 with all of the
automatic updates.

IE6 6.0.2900.2180.xpsp_sp2_gdr.070227-2254IC
also with the automatic updates.

(Noite...this also happens with Firefox.)

This does NOT happen when viewing htm files on my
hard drive...only online websites (and not every
site...for instance, Sun's Java site seemed
immune.)

Popups occur randomly...sometimes as straight ads,
sometimes as shown in the attached images. (These
are shrunk or cropped to keep them small ... and
the forst one has red ovals that I added to show
the non-full-screen popups.)

Sometimes they open an full-screen
window...sometimes smaller windows.

Here's what I have tried already:

I have uninstalled Java 4 and 5 and installed Java
6 (This was suggested in an earlier response to
someone else's post).

I went into my porcess list and deleted everything
that seemed nonessential.

Using Tuneup Utilities 2008, I disabled all the
unidentifiable start-up files...BUT...the
following one kept coming back, so it is high on
my suspect list: VDSKEKTH.exe

An internet search for VDSKEKTH.exe came up empty.

I have scanned my entire computer with McAfee AV
and AdAware to no avail.

I am open to all suggestions.

I will check this newsgroup religiously, but I can
also be reached at info@sanderhome.com

Thanks.
SS

 

[Malke]

SS wrote:

> Hi...
>
> Running:
>
> WinXP Pro 5.1.2600 SP2 build 2600 with all of the
> automatic updates.
>
> IE6 6.0.2900.2180.xpsp_sp2_gdr.070227-2254IC
> also with the automatic updates.
>
> (Noite...this also happens with Firefox.)
>
> This does NOT happen when viewing htm files on my
> hard drive...only online websites (and not every
> site...for instance, Sun's Java site seemed
> immune.)
>
> Popups occur randomly...sometimes as straight ads,
> sometimes as shown in the attached images. (These
> are shrunk or cropped to keep them small ... and
> the forst one has red ovals that I added to show
> the non-full-screen popups.)

(snippage)

Thank you for being thorough but:

1. It would have been simpler to just tell us "AntiSpyware Master" and leave
off all the screenshots.

2. Also, next time don't make 4 separate posts about the same subject.

AntiSpyware Master is just another rogue antispyware program and your
computer is infested. Here is a thread showing how to remove it but if your
computer skills are not high (and I'm not saying they aren't - I have no
way of knowing whether you have MadSkilz or not) I strongly suggest that
you register at BleepingComputer or one of the other specialty forums
listed below and get guided help. DO NOT POST HIJACK THIS LOGS IN THE MS
NEWSGROUPS.

http://www.bleepingcomputer.com/forums/topic143309.html

Other specialty malware removal forums:

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5

Choose one, register and read its posting FAQ. You will generally be asked
to:

1. Download and execute HiJack This! (HJT) -
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe Format --> uncheck "Word
wrap"

3. Download/run Deckard's System Scanner -
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the
forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

Standard disclaimer: I can't see and test your computer myself, so these are
just suggestions based on many years of being a professional computer tech
suggestions based on what you've written. You should not take my
suggestions as a definitive diagnosis. If you can't do the work yourself
(and there is no shame in admitting this isn't your cup of tea), take the
machine to a professional computer repair shop (not your local equivalent
of BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may be
so infested that Windows will need to be clean-installed. If possible, have
all your data backed up before you take the machine into a shop.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!

 

[SS]

Re: Help... Mystery Popup Virus?? (0/1) Thank you...it worked!

On Wed, 30 Apr 2008 07:27:21 -0700, Malke
<malke@invalid.invalid> wrote:


>
>http://www.bleepingcomputer.com/forums/topic143309.html
>

The above seems to have worked!

It was actually quite easy -- though the full scan
by SuperAntiSpyware took hours and hours.

Thank you so much...and sorry about the image
posts...I'll try to remember that in the future.

SS

 

[David H. Lipman]

Re: Help... Mystery Popup Virus?? (0/1) Thank you...it worked!

From: "SS" <scooby@doo.com>

| On Wed, 30 Apr 2008 07:27:21 -0700, Malke
| <malke@invalid.invalid> wrote:



>>http://www.bleepingcomputer.com/forums/topic143309.html


| The above seems to have worked!

| It was actually quite easy -- though the full scan
| by SuperAntiSpyware took hours and hours.

| Thank you so much...and sorry about the image
| posts...I'll try to remember that in the future.

| SS

There was nothing wrong with the "image posts".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Malke]

Re: Help... Mystery Popup Virus?? (0/1) Thank you...it worked!

SS wrote:

> On Wed, 30 Apr 2008 07:27:21 -0700, Malke
> <malke@invalid.invalid> wrote:
>
>
>>
>>http://www.bleepingcomputer.com/forums/topic143309.html
>>
>
> The above seems to have worked!
>
> It was actually quite easy -- though the full scan
> by SuperAntiSpyware took hours and hours.
>
> Thank you so much...and sorry about the image
> posts...I'll try to remember that in the future.

I'm very glad that worked for you. As David Lipman said, there was nothing
wrong with posting a link to an image it was the three separate posts I
wasn't crazy about. But no harm, no foul. -)

Thanks for taking the time to let us know everything is resolved.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!

 

[SS]

Re: Help... Mystery Popup Virus?? (0/1) Thank you...it worked! - No it didn't! It's back.


>>>
>>
>> The above seems to have worked!
>>
>> It was actually quite easy -- though the full scan
>> by SuperAntiSpyware took hours and hours.
>>

I can't believe it. Now it's popping up a window
every now and then that tries to go to:
85.12.43.69

(but my browser won't go there...get the usual
error when you can't access a site.)

It even does that when I am not browsing.
I'm going to turn off AIM and my weather bot to
see if that helps)

Also...my browser is running really slow, and
can't seem to go certain places.

Ugghhh!!!

I'll try that procedure again and see what
happens.

 

[pcbutts1 [MS MVP]]

Re: Help... Mystery Popup Virus?? (0/1) Thank you...it worked! - No it didn't! It's back.

Use my free Remove-it software, it will remove that malware from your
system. Download it here http://pcbutts1.com/downloads/tools/tools.htm

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz, Beauregard T.
Shagnasty,Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell




"SS" <scooby@doo.com> wrote in message
news:ce3m14djdifrp58dp3u5lojjmtqlqi3ij6@4ax.com...
>
>>>>
>>>
>>> The above seems to have worked!
>>>
>>> It was actually quite easy -- though the full scan
>>> by SuperAntiSpyware took hours and hours.
>>>
>
> I can't believe it. Now it's popping up a window
> every now and then that tries to go to:
> 85.12.43.69
>
> (but my browser won't go there...get the usual
> error when you can't access a site.)
>
> It even does that when I am not browsing.
> I'm going to turn off AIM and my weather bot to
> see if that helps)
>
> Also...my browser is running really slow, and
> can't seem to go certain places.
>
> Ugghhh!!!
>
> I'll try that procedure again and see what
> happens.

 

[Malke]

Re: Help... Mystery Popup Virus?? (0/1) Thank you...it worked! - No it didn't! It's back.

SS wrote:


> I can't believe it. Now it's popping up a window
> every now and then that tries to go to:
> 85.12.43.69
>
> (but my browser won't go there...get the usual
> error when you can't access a site.)
>
> It even does that when I am not browsing.
> I'm going to turn off AIM and my weather bot to
> see if that helps)
>
> Also...my browser is running really slow, and
> can't seem to go certain places.
>
> Ugghhh!!!
>
> I'll try that procedure again and see what
> happens.

I can easily believe it since I deal with this sort of thing every day. A
lot of the current crop of malware variants are extremely hard to remove,
respawning, using rootkits, etc. Instead of going through the procedure at
the link again, I strongly suggest that you register at BleepingComputer or
one of the other specialty forums and get guided help. A program was
suggested by another poster in this thread that I cannot recommend. The
program may work but is hosted on a site that also hosts pr0n. Draw your
own conclusions from that.

Here is the information about the specialty forums again for your
convenience:

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5

Choose one, register and read its posting FAQ. You will generally be asked
to:

1. Download and execute HiJack This! (HJT) -
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe Format --> uncheck "Word
wrap"

3. Download/run Deckard's System Scanner -
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the
forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!

 

[pcbutts1 [MS MVP]]

Re: Help... Mystery Popup Virus?? (0/1) Thank you...it worked! - No it didn't! It's back.

I don't host porn, why do you believe trolls.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz, Beauregard T.
Shagnasty,Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell




"Malke" <malke@invalid.invalid> wrote in message
news:e2knc3FrIHA.3616@TK2MSFTNGP06.phx.gbl...
> SS wrote:
>
>
>> I can't believe it. Now it's popping up a window
>> every now and then that tries to go to:
>> 85.12.43.69
>>
>> (but my browser won't go there...get the usual
>> error when you can't access a site.)
>>
>> It even does that when I am not browsing.
>> I'm going to turn off AIM and my weather bot to
>> see if that helps)
>>
>> Also...my browser is running really slow, and
>> can't seem to go certain places.
>>
>> Ugghhh!!!
>>
>> I'll try that procedure again and see what
>> happens.
>
> I can easily believe it since I deal with this sort of thing every day. A
> lot of the current crop of malware variants are extremely hard to remove,
> respawning, using rootkits, etc. Instead of going through the procedure at
> the link again, I strongly suggest that you register at BleepingComputer
> or
> one of the other specialty forums and get guided help. A program was
> suggested by another poster in this thread that I cannot recommend. The
> program may work but is hosted on a site that also hosts pr0n. Draw your
> own conclusions from that.
>
> Here is the information about the specialty forums again for your
> convenience:
>
> http://aumha.org/downloads/hijackthis.zip
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
> http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
> tutorial
> http://aumha.net/ - Click on the HijackThis forum. Read the announcement
> and
> the stickies *first*.
> http://www.atribune.org/forums/index.php?showforum=9
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://spywarewarrior.com/viewforum.php?f=5
>
> Choose one, register and read its posting FAQ. You will generally be asked
> to:
>
> 1. Download and execute HiJack This! (HJT) -
> http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>
> 2. Disable Notepad's word wrap - In Notepad.exe Format --> uncheck
> "Word
> wrap"
>
> 3. Download/run Deckard's System Scanner -
> http://www.techsupportforum.com/sectools/Deckard/dss.exe
>
> 4. Save the scan results (Main.txt and Extra.txt)
>
> 5. And then post the contents of Main.txt and Extra.txt in your post at
> the
> forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers
> www.elephantboycomputers.com
> Don't Panic!

 

[Leythos]

Re: Help... Mystery Popup Virus?? (0/1) Thank you...it worked! - No it didn't! It's back.

In article <7OHSj.667$17.1@newssvr22.news.prodigy.net>, pcbutts1
@leythosthestalker.com says...
> I don't host porn, why do you believe trolls.

What do you call the pictures you have posted links to that are on the
same site you link to in these groups?

The link info can be found in my sig, and it's clearly filthy porn. Yea,
you may have renamed it or moved it, but all of us older residents know
you had it there and you were PROUD of it, boasted about it, and you
plastered those links all over Usenet.



--
Leythos - spam999free@rrohio.com (remove 999 to email me)
Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.