Tech Support Forum - View Single Post - Pop-up problems, spyware alerts, please help

**amateur** · 12-06-2007, 06:51 AM

Hi,

Please go to Start > Control Panel > Display Properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (Except for "My Current Home Page.")

=====================================

Go to Start>Control Panel>Add or Remove Programs and remove the following program, if present:

RichVideoCodec

=====================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Click Start>Run, type in appwiz.cpl and press Enter.
Remove all entries of Runtime Environment (J2SE or JRE) that are listed.
Now reboot your computer.
Download the latest version of Java Runtime Environment, and install it to your computer.

=====================================

Scan with HijackThis and put a checkmark against the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust.../search/ie.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: MSVPS System - {74C44274-2A2D-4A99-B00B-CCA3912349F3} - C:\WINDOWS\vipextpxm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: The voipwet - {0687766B-F048-43D1-B33B-DBE6FE9AE712} - C:\WINDOWS\voipwet.dll
O21 - SSODL: kopmet - {64F65E54-B7D1-41EF-AE0E-1C2231C8FE94} - C:\WINDOWS\kopmet.dll
O21 - SSODL: jetctrl - {912C72FE-74A4-4E50-B54A-1718A805EF53} - C:\WINDOWS\jetctrl.dll

Close all browsers/windows other than HijackThis and click on "fix checked". Exit HijackThis.

======================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it (starting from File::):

Code:

File::
C:\WINDOWS\jetctrl.dll
C:\WINDOWS\vipextpxm.dll
C:\WINDOWS\kopmet.dll
C:\WINDOWS\voipwet.dll
C:\WINDOWS\nretcip.exe

Folder::
C:\Program Files\RichVideoCodec

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

====================================

Restart your computer. Scan with HijackThis and save the report.

====================================

Post the fresh HijackThis log along with the CFScript.txt.

12-06-2007, 06:51 AM	#6 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,532 OS: XP SP3	Re: Pop-up problems, spyware alerts, please help Hi, Please go to Start > Control Panel > Display Properties > Desktop > Customize Desktop... > Web tab Uncheck and delete everything you find in there. (Except for "My Current Home Page.") ===================================== Go to Start>Control Panel>Add or Remove Programs and remove the following program, if present: RichVideoCodec ===================================== Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Click Start>Run, type in appwiz.cpl and press Enter. Remove all entries of Runtime Environment (J2SE or JRE) that are listed. Now reboot your computer. Download the latest version of Java Runtime Environment, and install it to your computer. ===================================== Scan with HijackThis and put a checkmark against the following entries: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust.../search/ie.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com O2 - BHO: MSVPS System - {74C44274-2A2D-4A99-B00B-CCA3912349F3} - C:\WINDOWS\vipextpxm.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: The voipwet - {0687766B-F048-43D1-B33B-DBE6FE9AE712} - C:\WINDOWS\voipwet.dll O21 - SSODL: kopmet - {64F65E54-B7D1-41EF-AE0E-1C2231C8FE94} - C:\WINDOWS\kopmet.dll O21 - SSODL: jetctrl - {912C72FE-74A4-4E50-B54A-1718A805EF53} - C:\WINDOWS\jetctrl.dll Close all browsers/windows other than HijackThis and click on "fix checked". Exit HijackThis. ====================================== Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it (starting from File::): Code: File:: C:\WINDOWS\jetctrl.dll C:\WINDOWS\vipextpxm.dll C:\WINDOWS\kopmet.dll C:\WINDOWS\voipwet.dll C:\WINDOWS\nretcip.exe Folder:: C:\Program Files\RichVideoCodec Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ==================================== Restart your computer. Scan with HijackThis and save the report. ==================================== Post the fresh HijackThis log along with the CFScript.txt. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006