We somehow got allaboutsearching tool bar and tool box installed on our computer. I followed the directions from http://www.computing.net/security/wwwboard/forum/10727.html including the uninstaller, kill2me, lspfix.exe and multiple purges with Ad-aware 6.0. The good news is that allaboutsearching toolbar and toolbox have vanished! The bad news is I'm still getting lots of popups and redirects. I have a cable connection, and even with no IE windows open, I get popups when I return to the computer! Any help would greatly be appreciated!

You have an old version of Ad-Aware - the latest is version 6.181. Get it, download the updates and run it again. In addition, you should have 1. Spybot Search and Destroy http://www.safer-networking.org/index.php?page=download The download section is just beyond half way down the page. Immediately update and run it - you can safely get rid of anything it shows in RED. The GREEN entries are probably safe (and are likely to be MicroSoft programs ). 2. CWShredder http://www.spywareinfo.com/~merijn/downloads.html Blue centre section under "Official Downloads". Immediately update it and run it - you can safely let it remove all that it finds. This program is specifically to combat CoolWebSearch. Lastly, download SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html Immediately update it. No need to run it - it works in the background and attempts to keep ad/spy/malware from ever getting onto your system. Remember to look for updates to all these - at least weekly. They are all FREE!!! But you can donate if you wish. Good luck.

Dan As well as above... Is the OS correct under your name? you run windows xp home? There are newer tools to take care of what I believe to be Look2me/VX2 Because the file names are so random, and in the newer operating systems (win2k, xp) security settings are messed up...ad-aware or spybot cannot deal with it all. If you run xp home...go here and download VX2Finder.exe: VX2Finder.exe Save the download to it's own folder. Double click on vx2finder.exe Click on "find VX2.BetterInternet Info" Click on "log" Copy and paste the entire log results here. Please Don't delete anything yet using that tool....I want to make sure none of the files it lists are valid windows files! _________________________________________ I never give up! Windows Update

Thank you for your quick response! I did all of the above. Yet I *still* have the same popup and redirect problems! I am running Win XP Home Edition Version 2002 Service Pack 1. I ran the vx2finder and here are the results in the log: Log for VX2.BetterInternet File Finder Files Found--- C:\WINDOWS\System32\6io4svc.dll C:\WINDOWS\System32\AbLUI.DLL C:\WINDOWS\System32\AkLEDIT.DLL Guardian Key--- is called: GuardianOXFQU Asynchronous 000 DllName C:\WINDOWS\system32\AbLUI.DLL Impersonate 000 Logon WinLogon Logoff WinLogoff Version 124 ID {FBB04831-22CB-4414-8FFA-C338C26279A5} IDex DS3 User Agent String--- {FBB04831-22CB-4414-8FFA-C338C26279A5} Thanks again for your help!

Dan Ok...all those files are vx2... Start vx2 finder again and: Select all the files found. Press 'Delete These Files'. The program will delete all files but one that will be deleted on reboot. Allow program to reboot. Once Restarted: Press 'Guardian.reg'. Press 'User Agent'. Press 'Restore Policy'. Clicking on "find vx2.BetterInternet info" again should show all fields blank. Now update ad-aware again (version6.0, Build 181) If that is not the varsion you have...uninstall the one you do have and dwnload the new. Update ad-aware, shut down and restart ad-aware. Ad-aware needs a little tweaking to work best. Now do the following: - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine: check: "Unload recognized processes during scanning." - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine: Check: "Let Windows remove files in use after reboot." Press "Scan Now" - Check option "Use Custom scanning options" - Check option "Activate In-Depth Scan" - Press "Select drives\folders to scan" - Select the active partition which is usually C: Now press "Next" to let Ad-aware scan your drives... It will find a number of "bad" files and registry keys. Right-click in that pane and choose "select all" Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK. Finally, close Ad-Aware, and reboot. VX2 also sometimes drops some odd crud that ad-aware misses..I would like to see a hijackthis log just to make sure. Download Hijackthis from here: http://spywarewarrior.com/files/HijackThis.exe Save it to it's own folder Start hijackthis and click on scan, the scan button changes to save logbutton, click on save log, click save, when the log pops up in notepad, copy and paste the entire results here. Please don't fix anything yet, most of what you see in the scan is safe or even essential! I will look over your hijack log and see what's left to clean up. _______________________________________ I never give up! Windows Update

OK. I was able to get rid of the 3 vx2 files. I also ran the updated Ad-aware and removed an additional 24 files and keys. An interesting observation: I've run Ad-Aware about 6 times during the course of this debugging, and each time it's found additional things to remove. So far the total number of quarantined items is 864 with 86 objects removed! The following is the hijackthis log: Logfile of HijackThis v1.97.7 Scan saved at 1:33:47 PM, on 5/21/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\SM1BG.exe C:\WINDOWS\System32\tbctray.exe C:\Program Files\Common Files\efax\Dllcmd32.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DL\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file) O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt3_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab O16 - DPF: {B3E0F81F-73F8-470B-A56B-D895EFF19260} (ATLF3D Class) - http://www.famous3d.com/viewer/latest/axf3d.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_2us.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab I'm keeping my fingers crossed! Maybe the problem is solved... As I type this no popups have arrived!!

Dan Glad things are working better. Yes vx2 will drop a whole ton of crap on your machine..Some ad-aware cannot remove yet so there is still some spyware responsible for loading new junk. They hijack it to basically turn your machine into nothing but a huge ad generating machine. They modify security settings on your computer so you can't fix it using normal methods..hence the tool I had you download. They are getting PAID to hijack YOUR machine...They are soooo desperate to produce those pay per click ads...they will do anything to get it done. Sorry had to vent.. Ok a few things left to fix. Start hijackthis again and check the following: R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing) O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab Once all are checked, close all open windows and click fix checked Reboot the machine and delete: c:\program files\Common Files\WinTools <--folder I see also you have no antivirus program installed. I suggest installing one. AVG is free and pretty good, does not hog resorces, and has automatic updates. You can download that here: http://www.grisoft.com/us/us_dwnl_free.php You will need to enter a correct email address so they can send you the download link and the key code needed for install. The key code is case sensitive. Before installing the antivirus...just so you don't run into problems I would do an online scan to clean up any possible virus infection. It is hard to install an antivirus if infected. Suggested scan site: http://housecall.trendmicro.com/housecall/start_corp.asp Allow them to clean/delete whatever they find (if anything). Because you had quite a spyware problem...there is still one area to clean out..that is system restore. Windows will have backed up several infected files. Windows locks system restore from modification by any program including antivirus/antispyware tools. The only way to remove infected restore points is to shut off restore, reboot, rescan and if clean then re-enable system restore. Re-enabling system restore will create a fresh restore point. If you need help with restore: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam For future protection see this site: http://boards.cexx.org/viewtopic.php?t=957 should be good to go after that. Good luck. I never give up! Windows Update