As this is my first post, I guess I should say, "HI" and thanks for even looking at this in the first place.

I very rarely use IE, but lately have been getting pop-ups.
I've been getting two kinds of pop-ups: One kind seems to be displaying links in response to my Google searches or in response to the web page I'm viewing. I did a bit of research and found that this could be a symptom of something called DNS Catcher. The other kind are advertisements for casino sites, travel agencies, etc. I've run several scans with both Symantec AntiVirus and Microsoft AntiSpyware. It found several problems, including DNS Catcher, some Trojan crap and other Adware and supposedly deleted/quarantined them but the problem still remains, however, I now seem to be getting more of the advertisement pop-ups than "search result" pop-ups.
I ran additional scans in both Normal and Safe Mode, but no threats are detected now, even though the pop-ups continue.
I doubt this'll help...but when I get a stack of the pop-ups minimized, it says "MQBETMAN" in the little taskbar block. Don't know what that could mean, but it's always consistent.

Please, please help.

Try this one:
Read: How to remove Trojans and its ilk!

Much better! Thanks for the tip. I'm not getting as many pop-ups now, but somehow they're still around. I got one from 888.com just now. Here's my ewido Scan report, it fixed a whole bunch of stuff, but something may have slipped through the cracks. I'd appreciate it if you'd take a look.

(I removed a few parts of the report on things that were cleaned to get it down to 100mb)

Regards, Sp00ky.

Attached Files

Scan report_20051110.txt (99.9 KB, 3 views)

Follow these instructions EXACTLY. Put HijackThis in e.g. C:\Program Files\HJT and NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties

Then Read: How to post your Hijackthis log-files as an attachment.

I haven't gotten to following the last post yet, but I ran ewido again and got this warning while it was cleaning:

The file "C:\Program Files\Common Files\system32.dll/gui.exe" cannot be removed because it is embedded in the archive "C:\Program Files\Common Files\system32.dll" Do you want to remove the whole archive?" Y/N

What should I do?

Fix everything else that's found except that gui.exe stuff.
Post your HJT-log (only one from Safe mode) as described.

That seems to have done the trick! I'm currently pop-up free.

I've posted my HJT log, as instructed.

Thanks for all your help!

Attached Files

hijackthis.txt (3.9 KB, 1 views)

Run HJT in Safe Mode and let it 'fix' all these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...6.1&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...6.1&bm=ho_home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1119009841668
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

I fixed those things and then ran another scan (log attached).

AdAware and Spybot are still finding problems in Normal Mode and now I'm only getting pop-ups from CheapTickets.com.

Attached Files

hijackthis.txt (2.7 KB, 2 views)

The only place I can think of, where this might be coming from is:

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Brittany\Programs\aim.exe

Uninstall it for the moment (Get rid of it really, it's a popular target for all sorts of mischief.)
If that does not fix it, you can always reinstall it. Backup your contacts first.

Other than that, look up online virusscanners in Google and run them all.

Can you take a look at this for me?
Can you tell me what to delete?

Attached Files

log.txt (5.8 KB, 2 views)

Follow these instructions EXACTLY.
Put HijackThis in e.g. C:\Program Files\HJT and NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties