Computer problems

[mmcd]

All of the sudden, my computer is pretty f'd up.

I'm getting all sorts of popups and this program called
"Websearch" and a few others keeps reinstalling themselves after I delete them. I ran Ad-aware, but all this [censored] just keeps coming back. I tried to do a system scan with Symantec, but every time I click on "scan" after I open the program, I get a message saying that the program has encountered an error and needs to close. Also, I can't get to certain websites like google, aol.com, and some others, I end up getting the cannot find server message. I can't sign in to aim either. The problems with AIM and the internet sites have been happening for maybe a month, but when I was home over Christmas and connected to internet at my parents house, everything worked fine. The popups have just started over the last couple of days.

How do I fix all this?

[moondogg]

Try using Spybot Search & Destroy

The beta version of theWindows Antispyware tool seems to work pretty well too.

If that doesn't work, try HijackThis. Be careful with this one though, you have to know what you're deleting.

[scotnt73]

ive always been able to remove websearch from ad remove programs for my users and it doesnt come back for them.

[TomR]

Here are some very detailed instructions on how to remove that type of garbage:

I think my computer is infected or hijacked. What should I do?

It includes instructions on how to get started with HijackThis and where and what information to post to get help with cleaning it all up. The people on that forum have always been very helpful.

Good luck

[RainDog]

Good luck with the evils of spyware. This stuff is getting worse too. Anyone else contract one of the latest VX2 variants? It disables both Spybot S&D and the Recycle Bin on top of creating more popups than I've ever seen before. Couldn't even play poker for days. Anyways, I was finally able to remove it with some help from the lavasoft forums. If anyone else runs into this bugger (You'll have a file in the Windows/System32 folder called guard.tmp) here's the forum page. What adawareSE is able to take care of, it regenerates with random 6 letter files on start up. I've had viruses before that never created this level of hassle, but for now...I'm ad free.

[mmcd]

My recycle bin doesn't work (nothing shows up when I open it, and when I click empty and it says do you want to delete these 56 files, nothing happens when I click yes. Also spybot encounters an error whenever I try to run it.
There is no "guard.tmp" file in my system32 folder though.

[RainDog]

Yup, I had the same exact problem with the recycle bin...cept' mine was 41 files and they would never delete though it appeared empty.

Likely a variant of VX2...try to follow the instructions on that lavasoft page I linked to in the previous post. Also, guard.tmp could be a hidden file. Go to the "C:\WINDOWS\SYSTEM32\" and click on "Tools" then "View", then "Show hidden files and folders". See if it shows up. Whether it does or not, try the solutions on the lavasoft forum. It seems a little computer savvy, but I'm not too keen on this stuff and I managed. Follow through with what the 2nd poster did as well, because the first post took care of a lot of things but not everything.

Also, once you can see hidden files find your "Temp" and "Temporary Internet Files" folders: For me they are located under "C:\Documents and Settings\Owner\Local Settings\". A lot of malicious files hang out here and you don't need anything that is kept in these folders. Delete everything inside them. Also from the Internet Explorer window, go to "Tools" then "Internet Options" then click on "Delete Cookies", "Delete Files", and "Clear History". Then click on "Settings" and reduce the Temporary Internet File storage space to 50MB if it is any higher. These things can reduce popups and improve system operations. Everyone should do this regularly even if they do not have spyware problems. Warning: This can however delete passwords that are remembered by the computer (which you shouldn't do anyways). So make sure you have them written down somewhere and don't rely on IE to punch them in for you before you start deleting this stuff.

[mmcd]

Thanks a lot Raindog, that simple 15-step process really seemed to do the trick. The recycle bin is back to normal and none of those stupid programs have reinstalled themselves again. I have no clue where I got this from because for last 2 or 3 days, all I've really done on the internet is play poker, check e-mail, post here, etc. No downloads or porn or anything like that. Any idea where I might have picked this thing up? Also, is there anything I can do to prevent getting it again. Both yesterday and today when I turned on my computer I got a notification from the symantec icon in the task bar that my real time protection had been disabled, and I couldn't even open the program.

[mmcd]

I got rid of all the stuff that was clearly bad using hijack this, but I must have missed some. Anybody know which of these I still need to get rid of:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {9F66FA9C-8AAB-20AF-0D91-C36E58A0B085} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
O4 - HKLM\..\Run: [QCWLICON] C:\PROGRAM FILES\THINKPAD\CONNECTUTILITIES\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\THINKPAD\CONNEC~1\QCTRAY.EXE
O4 - HKLM\..\Run: [mstask32] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\-BE80-4C\DLLHOST.EXE"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=013105 serial=WS12WTX-9999998-UYR lang=EN
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\nnpx.exe] C:\WINDOWS\nnpx.exe
O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O17 - HKLM\Software\..\Telephony: DomainName = deacnet.wfu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deacnet.wfu.edu
O21 - SSODL: System - {9CC6F621-ED45-4595-9F4A-29FA6500C9D5} - C:\WINDOWS\system32\system32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Miscrosoft Updates Service 4 - Unknown - C:\WINDOWS\System32\msupd4.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PLSRemote Service - Unknown - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Software Secure Service - Unknown - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

[RainDog]

Glad I could help. That's a lot of stuff there. I'm not sure about a lot of the stuff, but all the R0 and O2 entries are bad.

As far as measures you could take to prevent this stuff again, there's all kinds of stuff out there. If you don't mind paying, AdAware's "adwatch" is excellent. It runs in the backround and ensures nothing creeps up on you. CNET.com is a good place to find reviews of freeware if you want to take that route. Don't just buy some software from the store assuming it's better because it costs money though. I had SpyCatcher for awhile which I got from Target, but it missed an awful lot. Always use Spybot's "Immunize" button, but I'm sure you do that already.