Raleighbum

oh Gurus please help me if you can..

Anyone know how to get rid of Virtual bouncer and Addestroyer?
Don't know where i got them but they wont erase with ad-aware, spybot or trojan remover.

I keep getting these annoying holiday and gambling ads all the time.. They pop-up over any prog.

I also have norton but none of the progs above have removed the problem.

It always installs and runs these popups even if the registry doesn't seem to load any weird stuff and "add/remove programs" looks ok...

I have XP.

I have a hijackthis-program, but can anyone of you guys interpret that and then maybe know what's up...

thanks!

soccerchamp76

Try running the Ad-Aware or Spybot in Safe Mode.
Hi-Jack this will fix it though. Take out anything that looks suspicious (has the VirtualBouncer in the file name, or ads, or something similar) or any BHO's that have no name or file.
Some of them are tricky, one of the spyware I saw on a kid's computer was "Quicktimee.exe" which normally you would passover but with the extra "e" you know it is fake and most likely a virus/spyware. I have seen Windows.exe before and other such.

__________________
Brian Griffin: Ah, if my memory serves me, this is the physics department.
Chris Griffin: That would explain all the gravity.

phukraut

Are you running the messenger service? Are they messenger popups, or just IE popups?

supafly

I use a programm called Hitman Pro, this is a combination of several ad-removers. Maybe this program can help to solve your problem.

http://www.hitmanpro.nl/

It's in dutch but quite straight forward.
Goodluck

__________________
Thumbs up

soccerchamp76

Post your HiJack-this log

__________________
Brian Griffin: Ah, if my memory serves me, this is the physics department.
Chris Griffin: That would explain all the gravity.

Raleighbum

ie programs.. would be nice to be able to just BLOCK those couple adresses where they come from, but that's not possible with explorer, right?

Glory's Sun

ok..download spysweeper.. it's the best prog I've seen and I use it myself www.webroot.com/downloads.. load it.. get the updates and then go to safe mode and run it.. your computer will thank you

phukraut

You can block specific addresses through the HOSTS file. Just add the domain and no more connections from that domain.

Cryptie

No disrespect to guccilvr but spysweeper is a piece of junk, stick with ad-aware and spybot, and if you are on XP install microsofts anti-spyware

viejo gringo

maybe--just maybe, it is in one of your system files, and XP protects them with the restore faciclity...

turn off your restore...
run every spy checker you have..
then turn restore back on and reboot..

a little prayer right here, helps..

heyal256

I believe that using the immunize feature from spybot should help you in the future in blocking the "known" sites from installing spyware.
As for the windows messenger service most people do NOT need to use this (some exceptions apply), and I think that running just about any firewall will block those popups.

Raleighbum

Nothing still works.... Safe modes and running all updated Ad-awares and spybots and trojan removers.
It really sucks..
Heres my hijackthis-file :
(could it be those HOST files "- O1 - Hosts: 69.20.16.183 ieautosearch"?)
Can anyone see something weird?

Logfile of HijackThis v1.99.0
Scan saved at 14:04:56, on 22.2.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\autoupdt.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\peter\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: autoupdt - Unknown - C:\WINDOWS\autoupdt.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Cryptie

Use hijack this to pull these keys

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O23 - Service: autoupdt - Unknown - C:\WINDOWS\autoupdt.exe

Download WinsocketFix to repair the lsp hijack

the userinit one is the nasty bugger, if you can't get rid of that it will just reload EVERY time you log on

Glory's Sun

you're kidding right?? You can run adaware and spybot 100 times with all the latest updates and go behind it with spysweeper and find stuff they left behind. IMO (no disrespect either) spybot is a piece of shit. I haven't had a chance to use microshits..err microsofts new anti-spyware stuff so I don't know what to think of it..

Cryptie

I guess my only problem with spysweeper is that it has ALOT of false positives. Which would explain why you can always find extra stuff with it. Not saying it doesn't remove some things that the other two won't, every program out there currently misses something that another one will find.

vinaur

Talking about lots of false positives, try using PestPatrol. If you don't set it up right, it will remove a lot of your software. Even after you do set it up, you still get a bunch of false positives. I tried it once and decided not to use that evil thing again.

pattycakes

microsoftantispyware beta search it on microsoft.com free download

__________________

Raleighbum

WinsocketFix.. where can i get that?

trache

LSPFix is available here. Not for the faint of heart:
http://www.cexx.org/lspfix.htm

WinsockFix is available here:
http://www.majorgeeks.com/download4372.html

Post a screenshot or the information you find out of any of these programs, and we may be able to help you further.

__________________
"You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip

Raleighbum

Thanks! I'll try with those now..

the connection has become very unstable.. crashing all the time, every 10-15 mins... modem and provider work ok, checked that so -
It could have to do with the "hosts" that keep opening those browser pages..
ads.. spotresults.com etc.. grr...

But trying that now thanks a lot.

G5_Todd

last time i got infected with spyware...i knew pretty much imediately...so i copied some stuff i was working on to a cd and did a system restored to the day b4...it worked perfectly

Exodus

Ive been using the Microsoft Antispyware Beta at work, seems to catch a TON of stuff that adaware and spybot miss. That and hijack this seems to work for just about everything.

trache

If you find that your hosts file gets replaced every time you try to modify it, you obviously have a process resident in memory that is changing it.

I had taken a look at a computer once that had one of these on it. It loaded itself into the HKEY_CLASSES_ROOT\something or other\exefile\open registry key to make sure that it got itself installed everytime a program was run. Make sure that you run most of these utilities (I'm not sure about LSPFix or Winsockfix) in safe mode. Before that, AVG or Norton etc because they scan registry keys too.

__________________
"You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip

Raleighbum

Thanks all ppl, but It was so damn bad that nothing worked and I decided to Format C:...

That really works!

And changed to Mozilla.

but now I only have to figure out a way to get my backups from my other HD that is formatted with a XP professional to use with this new XP Home version... Grrrr.

That is the stupidest thing I've seen that Microsoft has put this block there that the HD's formatted with a different version are not compatible..