I downloaded a crack for a program a few days ago and it was a spyware program. IT automatically installed itself before I could cancel it. I have ran Ad-aware about 5 time, Hijack this once, and a trojan scanner. Each time it just comes back again. It's mainly just random annoying internet explorer popups advertising for shit. I use Mozilla by the way so it seems wierd that its using IE. Any suggestions or programs that will take care of it?

Hmm.. are you using the last updated files for ad-aware and all the other programs? another idea might be to shut off your internet access, run ad-aware, reboot, run it again immeditly, reboot again, and run it again. that should get rid of it without allowing it to re-install itself. Other than that, I'm not too sure. Maybe spybot search and destroy might get it?

Buy a new harddrive.

Yah, that's convenient.

Yea dude, try Spybot S&D and use it to block the process at startup.

Try the microsoft antispyware program? It's pretty good.

Pardon my ignorance, but.... how?

http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

Thanks.


By The Way, I am 100% spyware and adware free only using Spybot.

Spybot S&D for the win. Thanks guys.

What's the program called??

Tried looking in add/remove to get rid of it?? Doubt it would work but...

Yeah, what's it called??

OMG it's back. I have ran both Adaware and Spybot S&D and I am still getting these random IE popups. W....T....F....

Welcome to Windows, dollar twenty-five please.

And what is it called?? THis spyware?? What do the popups say??

I ran Hijack this followed by adaware followed by spybot and the next time i restarted my comp i am still getting these fucking ie pop ups. They are sucking up resources and are making it a bitch to play any pc games.

Try posting at http://computerproblems.org, they offer very good support for shit like this, helped me with a very annoying spyware aswell.

Yeah but you still haven't said what the piece of spyware is called! And don't tell my you don't know, Ad-aware tells you...so...what is it called?? You may not believe it but I can probably help...

DIsable IE.

heres my hijack this log file:

Logfile of HijackThis v1.97.6
Scan saved at 10:53:54 PM, on 4/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Dane Mclean\My Documents\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliterjh32.exe
O4 - HKCU\..\Run: [Wallpaper] C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE /h
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100822838656
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab

Logfile of HijackThis v1.97.6

Get 1.99.1 first. (http://www.spywareinfo.com/~merijn/downloads.html)

Done and done


Logfile of HijackThis v1.99.1
Scan saved at 11:49:19 PM, on 4/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Documents and Settings\Dane Mclean\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.royalsearch.net/search.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliterjh32.exe
O4 - HKCU\..\Run: [Wallpaper] C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE /h
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100822838656
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

You say it keeps on coming back...run Ad-aware and tell us the one that is always repeated...

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliterjh32.exe

I don't like this one. It's a randomized name, inside of system32.

And that means....?

Kill it, obviously. In safe mode.

No. I meant why did you single that out. What does it do O_o

I'm retarded in anything regarding spyware.

Don't know what it does, because I don't have the EXE in front of me. However, like I mentioned - it's a randomized filename, does NOT show up in any google search, and is hiding in system32 under a really strange yet "official sounding" name of "checkrun". It's running on every startup, likely acting as a trickler for spyware or just outright installing and running in on boot. I'm going to GUESS it's a coolwebsearch variant because of the filename/system32 thing, but I honestly don't know since the filename's random.

I have the same fucking problem and I am far too lazy to fix it... spyware removal programs with the simple scan and deletion just isn't good enough for the IE pop ups i keep getting.... Maybe I'll uninstall IE.

I tried to do that on my old laptop. The fucker WONT LET YOU UNINSTALL. Every time I deleted the IE icon in my c:/ directory, it kept on popping right back up.

I hate this norton piece of shit. It detects spyware but then it can't delete it.

Hey, it's a clever one...:D...

Should be WINDOWS in caps, system32 with a capital S...he he he...these are my favourite kind!!!

It is possible to do. Just as hard to do as to completely remove Fun Web Products. Nasty pieces of work...both of 'em.

Download Mozilla Firefox and use it for your 'net. That's what I did a while back..never any problems.

Re: IE uninstallation

Open up My Computer - there's Internet Explorer. Go ahead and type google.com in the address bar and hit enter - it switches to IE mode, and takes you right there. It's built into the shell. (Which is the reason for most spyware infestations - if you compromise Firefox/Opera somehow, you might have access to the history, cache, or bookmarks. If you compromise IE, you have access to the entire system, including Windows itself.)

Uninstalling it completely means you'd have to get another file manager like AB Commander (http://www.file-manager.com/) or something. It's possible, but so much of a hassle that you may as well just keep IE as clean as possible and continue to use it as a file manager. Just toss Firefox (http://getfirefox.com) or Opera (http://opera.com/) on there and get used to one of them. It's either that or going through the steps necessary to secure IE - patching, (which you should do anyway), locking the HOSTS file, disabling ActiveX, etc. Nothing wrong with using IE if you can keep it clean and you stay completely away from unknown sites.

If you care, Secunia (http://secunia.org) says that IE6 has 17 unpatched vulnerablities (http://secunia.com/product/11/) (80 total, so if you didn't patch, that's a big problem), Firefox has 4 unpatched vulnerabilities (http://secunia.com/product/4227/) (one of which involves dragging images to the address bar, and another which involves Apple Java) and Opera 8 has a scant 0 vulnerabilities so far (http://secunia.com/product/4932/) which surpised me, actually.

That about sums it up in a nutshell. After my last re-installation of Windows I patched everything I could on IE and never used it again. I went straight to Firefox and haven't had ANY problems. Windows is too integrated for it's own good...why IE is so vunerable.

Ok, installed and am using Mozilla firefox, restarted comp in safe mode, rand hijack this, spybot, and adaware, restarted and have not had a pop up yet. *crosses fingers* Thanks for the help guys.