Loadingwebsite And Paypopup

**HJThis** · 13-06-2005

Hi,BLOCKSKE

Hmm odd do this please first fix this one here

This one here
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/

& these here you are using a Proxy Yes????
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.skynet.be:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.isaserver.be;*.isanet.be;info.BBL.be

if yes after fix the item above do this here

Download FindIt's.zip to your desktop.
Unzip/extract the files inside preferable to C:\ < a new folder.
Disconnect from the internet, if you use an always on internet connection unplug it.
Let your PC be idle for 15 minutes !!
Open the folder and run the FindIt's.bat and wait for a text to open, it will take awhile be patient, post the results please.
http://forums.net-integration.net/in...post&id=142443

If you get an error similar to:
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application...etc etc'
Go here and use the approprient fix for your system
http://www.tech-forums.net/computer/topic/29806.html

let us know

HGD

**BLOCKSKE** · 13-06-2005

After almost a day I got those popup's back

I fixed the first one (www.searchby.net) several times already. But each time I reboot it comes back.

I'll try the other things you mentioned and I'll get back to you

Thanks

**BLOCKSKE** · 13-06-2005

here the results of findit's

Windows Millennium [Versie 4.90.3000]

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System\HIT.EXE
* UPX! C:\WINDOWS\System\COM.EXE
* UPX! C:\WINDOWS\System\DLL.EXE
* UPX! C:\WINDOWS\System\PLUGIN.EXE
* UPX! C:\WINDOWS\System\LU.EXE
* UPX! C:\WINDOWS\System\SED.EXE
* UPX! C:\WINDOWS\System\RUNME.EXE
* UPX! C:\WINDOWS\System\RUNME2.EXE
* UPX! C:\WINDOWS\System\CP.EXE
* UPX! C:\WINDOWS\System\RUN_21.EXE
* UPX! C:\WINDOWS\ICONT.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System\NETHV32.DLL
* UPX! C:\WINDOWS\System\IA.DLL
* UPX! C:\WINDOWS\System\P2ECOM.DLL
* UPX! C:\WINDOWS\System\LIVESE~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Het volume in station C heeft geen naam.
Het volumenummer is 1141-14F5
Map van C:\WINDOWS\SYSTEM32.

24.938,81 MB vrij
»»»»» Checking for SAHAgent ico files.

Het volume in station C heeft geen naam.
Het volumenummer is 1141-14F5
Map van C:\WINDOWS\SYSTEM32.

24.938,81 MB vrij

»»»»»»»»»»»»»»»»»»»»»»»».

**HJThis** · 13-06-2005

Hi,

Ok now the first thing i want you to do is backup all
these files somewhere safe just incase

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
HIT.EXE
DLL.EXE
PLUGIN.EXE
LU.EXE
SED.EXE
RUNME.EXE
RUNME2.EXE
RUN_21.EXE

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Download Pocket Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.zip
http://www.atribune.org/downloads/KillBox.exe
If you already have Killbox first ensure it is this version !.
If you have the one in zipped form it MUST be unzipped/extracted first.

Start Killbox place a tick next to [x]delete on reboot.
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\System\HIT.EXE
C:\WINDOWS\System\DLL.EXE
C:\WINDOWS\System\PLUGIN.EXE
C:\WINDOWS\System\LU.EXE
C:\WINDOWS\System\SED.EXE
C:\WINDOWS\System\RUNME.EXE
C:\WINDOWS\System\RUNME2.EXE
C:\WINDOWS\System\RUN_21.EXE
C:\WINDOWS\System\NETHV32.DLL
C:\WINDOWS\System\IA.DLL
C:\WINDOWS\System\P2ECOM.DLL

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the first prompt and no to the second.

Exit Killbox and immediately restart your PC.

Once back at the forums make and post a hijackthis and findits logs, there will be more to do hang in there.

NOTE as i said above back them all up first then go on with fix

HGD

**BLOCKSKE** · 15-06-2005

hello,

here we go again

Popups are back and homepage keeps changing while rebooting.

I've done what you told me, here are logs

Windows Millennium [Versie 4.90.3000]

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System\HIT.EXE
* UPX! C:\WINDOWS\System\COM.EXE
* UPX! C:\WINDOWS\System\DLL.EXE
* UPX! C:\WINDOWS\System\PLUGIN.EXE
* UPX! C:\WINDOWS\System\LU.EXE
* UPX! C:\WINDOWS\System\SED.EXE
* UPX! C:\WINDOWS\System\RUNME.EXE
* UPX! C:\WINDOWS\System\RUNME2.EXE
* UPX! C:\WINDOWS\System\CP.EXE
* UPX! C:\WINDOWS\System\RUN_21.EXE
* UPX! C:\WINDOWS\ICONT.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System\NETHV32.DLL
* UPX! C:\WINDOWS\System\IA.DLL
* UPX! C:\WINDOWS\System\P2ECOM.DLL
* UPX! C:\WINDOWS\System\LIVESE~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Het volume in station C heeft geen naam.
Het volumenummer is 1141-14F5
Map van C:\WINDOWS\SYSTEM32.

24.902,66 MB vrij
»»»»» Checking for SAHAgent ico files.

Het volume in station C heeft geen naam.
Het volumenummer is 1141-14F5
Map van C:\WINDOWS\SYSTEM32.

24.902,66 MB vrij

»»»»»»»»»»»»»»»»»»»»»»»».

Logfile of HijackThis v1.99.1
Scan saved at 11:30:43, on 15/06/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_NL_1.1.62-DELEON.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\WINDOWS\APPLICATION DATA\SSSTBAR\SSSTBAR.DLL
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_NL_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_NL_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_NL_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_NL_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Dexia BusinessClick - http://businessclick.dexia.be/PC//Dy...t//DexiaBC.cab

**HJThis** · 15-06-2005

Hi,BLOCKSKE

Well you have come a long way from where you started
don't give up on me.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/

Now i want you to fix this item here if we have to we can always
go back & replace
O3 - Toolbar: Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\WINDOWS\APPLICATION DATA\SSSTBAR\SSSTBAR.DLL

Then before going on line do this here

click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

That will change everything back to defaults (M$)......

Change your homepage and search engines to whatever you wish and reset your pc.

When it boots back up, open IE and see if the page stays the way that you set it.

& this to

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

& get this here out of the way

Clean out temporary files:

* Start | Run | type cleanmgr | OK

* Let it scan your system for files to remove.

* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

* Click "OK" to remove them.

* Click "Yes" to confirm the deletion.

Then post a new logfile with any info you have to add

HGD

**BLOCKSKE** · 15-06-2005

I've done what you asked.

Homepage keeps changing.

Here are logs

Windows Millennium [Versie 4.90.3000]

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System\HIT.EXE
* UPX! C:\WINDOWS\System\COM.EXE
* UPX! C:\WINDOWS\System\DLL.EXE
* UPX! C:\WINDOWS\System\PLUGIN.EXE
* UPX! C:\WINDOWS\System\LU.EXE
* UPX! C:\WINDOWS\System\SED.EXE
* UPX! C:\WINDOWS\System\RUNME.EXE
* UPX! C:\WINDOWS\System\RUNME2.EXE
* UPX! C:\WINDOWS\System\CP.EXE
* UPX! C:\WINDOWS\System\RUN_21.EXE
* UPX! C:\WINDOWS\ICONT.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System\NETHV32.DLL
* UPX! C:\WINDOWS\System\IA.DLL
* UPX! C:\WINDOWS\System\P2ECOM.DLL
* UPX! C:\WINDOWS\System\LIVESE~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Het volume in station C heeft geen naam.
Het volumenummer is 1141-14F5
Map van C:\WINDOWS\SYSTEM32.

24.850,00 MB vrij
»»»»» Checking for SAHAgent ico files.

Het volume in station C heeft geen naam.
Het volumenummer is 1141-14F5
Map van C:\WINDOWS\SYSTEM32.

24.850,00 MB vrij

»»»»»»»»»»»»»»»»»»»»»»»».

Logfile of HijackThis v1.99.1
Scan saved at 15:34:09, on 15/06/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_NL_1.1.62-DELEON.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_NL_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_NL_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_NL_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_NL_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Dexia BusinessClick - http://businessclick.dexia.be/PC//Dy...t//DexiaBC.cab

Loadingwebsite And Paypopup

Re: Loadingwebsite And Paypopup

Similar Threads

Loadingwebsite problem -- Please Help!!!

Another loadingwebsite spyware help

loadingwebsite spyware - HELP!

Another LoadingWebsite Problem Thread

Loadingwebsite and similar problems