Howdy and salutations to all!!

Last week two of my kids were on and now we have tons o' pop-ups - If I go away from computer for 15 minutes, we can have 9 or 10 layers of them and I'm running AOL pop-up blocker. Also have McAfee Firewall. I have run AdAware, Spybot,AOL's spy-blocker, AVG Antivirus and Norton Antivirus. When running AdAware it shows at least a half dozen VX2 problems each time I run it along with a VX2 regitry entry. When deleting the affected files it will clear out all files except for 2 files. One file is ALWAYS C:\windows\system\ItFRARED.DLL plus another random dll file in win\sys. It says it will clear it out during next restart. OK. Guess what - on next restart random file is gone but ItFRARED.DLL is still there. Turns out to be a hidden file that cannot be deleted while running windows. Tried to find it in dos but won't show using dir /o/p search parameter and can't find it using
C:\dir ItFRARED.DLL /s either. Any hints??

Back to pop-ups, most seem to be
e.m11.com
spotresults.com
http://69.20.56.3/yy.10.html
http://69.20.56.3/normal/yy.12.html
ads1.revenue.com
zi.adserver.com

Also in HijackThis (to follow) on the right side is Config button "click" -> open hosts file manager and we get this:

127.0.0.1 pop3.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
127.0.0.1 pop3.spa.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
127.0.0.1 code.ignphrases.com
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy






127.0.0.1 www.igetnet.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com

I have tried to delete all the iget net, clear search and qckads files on here and they won't go away. Any hints #2??

this is my HiJackThis file done fresh and to you now:

Logfile of HijackThis v1.98.2
Scan saved at 5:53:20 PM, on 11/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ANTIVIRUS\AVG\AVGCC.EXE
C:\PROGRAM FILES\ANTIVIRUS\AVG\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
D:\PROGRAM FILES\UTILITIES\FAST DEFRAG\FAST DEFRAG FREEWARE\FAST2.EXE
D:\PROGRAM FILES\UTILITIES\SPYBOT\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\GIGABYTE\GIGABYTE WINDOWS UTILITY MANAGER\GWUM.EXE
D:\PROGRAM FILES\UTILITIES\CWSHREDDER\CWSHREDDER\SPYSUB.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MP***ENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
D:\AMERICA ONLINE 9.0\WAOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\PROGRAM FILES\DIAGNOSTIC TOOLS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV DefAlert] D:\PROGRA~1\NORTON~1\NORTON~2\DEFALERT.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\ANTIVI~1\AVG\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\ANTIVI~1\AVG\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] D:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [FAST Defrag] D:\PROGRA~1\UTILIT~1\FASTDE~1\FASTDE~1\FAST2.EXE -tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Utilities\Spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Startup: SpySubtract.lnk = D:\Program Files\Utilities\CWShredder\cwshredder\SpySub.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: http://Windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O15 - Trusted Zone: *.akamai.net
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.bestbuy.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/...e/collapse.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://actimage.dancik.com/ib/downlo...image30610.cab
O16 - DPF: {6F83E5B0-E6B8-4416-A700-94C9C97C7BAA} (Actimage Palette Control) - http://actimage.dancik.com/ib/download/palette20816.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-5....-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.0.3...-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.2...-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet...-ob-assets.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.1.2...-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.0.0.3...-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-6.0...-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8....-ob-assets.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5....-ob-assets.cab
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.1...-ob-assets.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-c.mhi.aol.com/netagent/o.../custappx2.CAB
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0....-ob-assets.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Any hints #3?

Your help is most appreciated. Thanks a bunch!!

Terry

Just a note regarding my post -- I now think that the "bug" is internal on the computer as when I am OFF-line I keep getting IE type windows appearing telling me that the site is not available and asking me whether to "work offline" or "try again". Just thought that this might help - maybe not. Later - and thanx again!!

Terry

i think its a trojan.

update and then run your antivirus software,

if you wish to use one from the internet go to http://www.virusportal.com and run the free online virus scanner which is on that site somewhere

A pleasant good day to all!!

I FOUND AND DELETED THE LITTLE B*****D !!!!!

The whole problem is from the ItFRARED.DLL file. Took a little researching - sorry we hit a couple of other forums here - but a very helpful source here was http://www.computing.net/security/ww...rum/13517.html. This whole thread has a great description of the trojan and the company that conceived this "GREAT" marketing technique. I'd like to wring their scrawny little necks!!! Anyway, the last response (#13 I believe) had a link to http://simplythebest.net/info/spywar...e_spyware.html . This was the ticket!!! I read all the directions and checked for all the files and registry entries that were listed in manual 1 and manual 2 and NONE were on my machine. But the file they mentioned at the very end of the article raised a red flag to me. I quote :

"It may be that ads are still served by NicTechNetworks BetterInternet (hmmm, these guys have a sense of humor!). It means that some software is still in your Windows folder, such as no.exe, UpdInstall.exe. But also AmCUPS.dll, CbCFG32.DLL, and AkLEDIT.dll. The name changes next time around. They seem to be generated by a DLL called AfSETUPC.DLL (Hidden file!). It seems virtually impossible to delete this ActiveX DLL. Starting up in Safe Mode does not help, neither does ending the explorer.exe process. Possibly starting up from a floppy boot disk may do the trick, haven't tried that yet. But the VX2Finder(126) mentioned above does the trick, so we suggest you use that one. Note that, it will delete what it can and what needs a reboot will be done after it reboots. The AfSETUPC.DLL will still be there, but only 1K and removable!"

This sounded so much like the ItFRARED.DLL file I mentioned in the first post due to the fact of all cap letters except for the second letter in lower case, that it was a hidden file and that it was non-deleteable under regular means.

I then hit the link for the VX2Finder9x(126) for my Win98se (http://download.broadbandmedic.com/VX2Finder9x(126).exe) . Ran the program and it picked out the VX2 file ItFRARED.DLL and was able to promptly delete it. VOILA!!! NO MORE POPUPS!!! YAYYYYYYYY!!!.

To all - might want to keep this little program (60kb) in the bag o'tricks. The other file that was listed (KillBox.exe / 116kb) looks like it could kill any offending files also if you know exact file name.

Ran AdAware and Spybot again and picked off a few gremlins but so far so good and stable.

If any techs still want to clean up my HJT list, feel free, but I think the other problem is in the past.

Thanks for reading and have a good evening!!

Terry