Hey guys. Since a little while ago, I've been having a problem with popups... while browsing my hard drives. This appears to be opening popups when I open some folders (it's not the same ones every time, it seems pretty random. It also seems I MIGHT have fixed this... IE still opens, but for less than a second) and when I go to ANY site in IE (though NOT in IETab in Firefox). I found a few System32-related files that could be the cause, there was a randomly named one which I discovered was SurfSideKick (thanks to FileAlyzer, the version tab mentioned TDop.exe a lot) and dvdplay.exe which is a virus of some sort according to google.

Might as well list the stuff I've tried; deleted shifty Downloaded Program Files, removed "Safety Bar", scanned with AVG, S&D and Ad-Aware, emptied the cache with CCleaner, used ADSSpy to try and find anything shifty (nothing there.), arranged System32 by date, googled anything recent, uninstalled anything that it could have come with, ran a HiJackThis log through hijackthis.de, checked a bunch of stuff with StartUpList and I TRIED to do a Panda Activescan... I couldn't in FireFox, nothing appeared in the scan box in K-Meleon (go go ActiveX, eh) and going to the website in IE actually CRASHED Explorer.exe (or maybe the spyware did...).

There's nothing strange running currently, nothing new in msconfig/startup, no new BHOs listed in HJT, no Downloaded Program Files I can see that look shifty, nothing. Anyone got any ideas?

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Hooray! Right after posting, I remembered Trend Micro Housecall. It LOOKS like it's fixed EVERYTHING, but I can't be sure yet. I've just tried IE, no annoying "UR COMPUTAR MITE BE AT RESK!!" messages after going to trendmicro.com, google.com and here.

AMD Athlon XP 2000+
512MB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Here are extra checks for you to do.

Securing Your Computer: Temporarily Disable Real Time Monitoring Programs.
http://wiki.castlecops.com/Securing_Your_Computer:_Temporarily_Disable_Real_Time_Monitoring_Programs
If Your PC is Infested w/ Spyware & Adware...
http://spywarewarrior.com/sww-help.htm
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Trustworthy Anti-Spyware Products ( near the bottom of the page )
http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.malwarehelp.org/how-to-curepart-3-using-hijackthis.html
http://spywarewarrior.com/sww-help.htm
http://spywarewarrior.com/viewtopic.php?t=6917
http://spywarewarrior.com/viewtopic.php?t=6914
http://spywarewarrior.com/viewtopic.php?t=10
http://spywarewarrior.com/viewforum.php?f=30
http://www3.telus.net/dandemar/slowcom.htm
http://discussions.virtualdr.com/showthread.php?t=167915
http://www.wilderssecurity.com/showthread.php?t=50662
http://forums.techguy.org/security/208517-general-security-information-how-tighten.html



Important: Create a specific folder on your hard drive called HijackThis to keep its backups.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis. Download and unzip HijackThis.exe into this folder.
http://www.merijn.org/downloads.html Or, http://tomcoyote.com/hjt/
If possible run HJT in Normal mode ( not Safe ) with all your normal startup's working.
HijackThis Tutorial - How to Analyse your own log
http://spywarewarrior.com/viewtopic.php?t=3624
http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm
http://www.bleepingcomputer.com/tutorials/tutorial42.html
http://www.malwarehelp.org/understanding-and-interpreting-hjt1.html
HijackThis log file analysis ( online )
http://hijackthis.de/index.php?langselect=english
Or,
http://startup.networktechs.com/page-68.html
http://hjt.iamnotageek.com

http://www.anti-spyware-101.com/dow...

this removes it

____________________
just helping

Thanks for that, though it wasn't really needed. As I said in my first post, I've been through all the normal crap.

Currently, the popups when opening folders still happens, but it seems to be a LOT less than normal. IE is looking like it's fixed, but I'm about to check by just reading a bit in it, with taskmanager open, iexplore.exe selected and my mouse over "End Process". I'm about to run another scan in Housecall and a scan in Panda, hopefully I'll get rid of this crap FULLY this time.

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Err.. Can anyone confirm the link in Henry's post? That seems REALLY shifty to me...

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

That's why I gave you this link & to check further, use your search engine.
http://www.spywarewarrior.com/rogue_anti-spyware.htm

If you remove the download part of Henry's post you get this: Various Fixes

Larry

Today seems like a good day to chew through the restraints.

Ah, thanks guys. Sorry about all that, I was REALLY rushed, needed to get to sleep and all that.

Related to the spyware - well crap, it's DriveCleaner. I managed to get a screenshot of the first popup, before I had to kill iexplore (if I don't more popups and an Explorer.exe crash usually follow) and yeah, DriveCleaner is what it wanted to install.

Spyhunter is running at the moment, doesn't look like it's gonna help - it's already scanned the registry and didn't find anything
(I'm pretty damn sure this is all caused by a registry entry) and it's close to finishing on C:, still nothing.

Guess I'll spend a bit more time on google, looking for something to stop this.

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Oh crap, Just got a WinAntivirus popup and some randomly named exe trying to access the net. I blocked it, am running a Housecall scan... but I'm having some problems with text. It's being moved while I type it. I'm typing this in an Xfire window, and copying it over. PLEASE help, I REALLY need it...

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

It almost has to be in your startup programs. Go in through mscongig and remove anything that looks suspicious and reboot.

You can actually disable everything in the start up list and put them back one at a time.

Today seems like a good day to chew through the restraints.

I WISH it was that simple. After trying ANYTHING or seeing any changes, that was where I went. Nothing has changed, nothing suspicious. I've also stopped anything to do with WinAntivirus. Pretty damn easily, too... Hijackthis to kill VSToolbar.dll, then a quick delete. Doing that also fixed the moving text thing.

I believe I have found 3 DLLs that are causing this. ixt0.dll, lqteoyfc.dll and vtstt.dll. All are in System32, all are listed as BHOs (with the tag (no name)) in Startuplist. I can't remove them RIGHT now (annoying, eh.) as I'm in the middle of a load of stuff.. but I'm going to do it all with either BFU or a handy little .bat (which will, of course, back up the DLLs before removing them).

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Ok, nope. That didn't do it. For one thing, the only one of those DLLs that was THERE was lqteoyfc.dll... also, all the symptoms were gone before I closed and reopened Explorer...

This is the strange part, though. vtstt.dll. It seems to disappear when I kill explorer and return when I open it. In system32, there are 2 files OBVIOUSLY related to it... ttstv.bak1 and ttstv.bak2. Look at them backwards. There's also 8A6E05D4.dll, ttstv.ini and vturqqq.dll. All of these have been RECENTLY modified. Time to move them, methinks. I guess I'll modify my .bat a bit to kill all of these. HOPEFULLY, this'll be the last I see of Drivecleaner.

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

REALLY sorry about triple posting... but I have found why I couldn't remove them... They're hidden. And I can't change that. The ticked "Hidden" box in properties is GREYED OUT. Pretty crap... I have no idea what to do now... all I know is that this is probably the problem and I have NO way of fixing it. I mean, I don't even CARE about the fact that this renders IE unusable, I didn't use it anyway! The main problem is with explorer... I REALLY don't want a popup for every 3rd or so folder I click...

If anyone has any ideas.. please help... I need this PC working, I REALLY can't reformat... especially because of a single peice of crappy adware...

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Ok guys, thanks for all the help... but I'm giving up. I even booted into Damn Small Linux and couldn't delete the files. So I have downloaded FreeCommander, I'll be using it as my new explorer (yes, it's not exactly "integrated", but I don't care.). I have IE Tab for when I HAVE to use IE (so, very rarely. Mainly TAFE related) and I have basically put my PC into "lockdown" mode. Hell, I set Zonealarm to High before I go to sleep (for some stupid reason, that stops ALL net access... Except Xfire.).

I may try something in about 9 hours (Yay for Anime and caffeine). I'm sure a few of you have seen the Castlecops post about running command line as the SYSTEM account (http://castlecops.com/t107505-Run_Antispyware_as_the_System_account.html)... I'm gonna try that. If that can't kill it, God help my PC.

Thanks a bunch Johnw, henryjsaunders and seawatch and sorry for quadruple posting :P

AMD Athlon XP 2000+
512MB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Sp3cial, without rereading everything again, it is not making any sense, if something is interfering with your comp, it is in either the main parts or the registry.
Is your HiJackThis the latest version?
What folder do you have it installed in?

Upload your popup images here, so we can have a look.
ImageShack
http://imageshack.us/
http://reg.imageshack.us/content.ph...
ImageShack's mission is to provide an easy-to-use image hosting service for everyone.
http://www.bigupload.com/d=5816BBDE
http://www.free-webhosts.com/free-f...

I use FastStone Screen Capture
http://www.faststone.org/FSCaptureD...
Or,
Screen Capture ( make sure you select jpeg, anything else is a bigger size )
If you are in any windows based program, just hit the Print Screen key on your keyboard ( or Ctrl + V ) and you have a full screenshot.
If you hold down the 'Alt' key with the Print Screen key, you will capture only the window that is on your screen, not the whole desk top.
This sends it to Clipboard, now you can Paste it into Paint ( go to Edit ) or any other Windows based graphics program.
Save as...
Save as type, select JPEG etc.
Image Resizer
http://www.microsoft.com/windowsxp/...
http://download.microsoft.com/downl...
This PowerToy enables you to resize one or many image files with a right-click.
Here is how to get it smaller, right click on the file & select > Resize Pictures, I use 800 x 600 or 640 x 480. Makes it a lot easier to email.

Two registry cleaners that will help.
ATF Cleaner
http://www.atribune.org/content/vie...
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

RegSeeker, click on > Find in registry, tick all the boxes in > Keys, put a word ( example AOL ) in > Search for: & click > Search. Now you have a list on one page, of all the registry entries for AOL.
http://www.hoverdesk.net/freeware.htm
My personal use, is to, delete only the Green entries.
Click on Select All and choose > Select all Green items.
Right click on a Green item to delete all Green files.

Ok, I'm gonna TRY to explain my extremely messed up situation. I apparently deleted the screenshot (probably while cleaning my desktop after downloading some Gmod mods) and I can't get another one, as I can't get the popups to pop up without restarting Explorer... which I can't do right now. Not to mention the fact that I REALLY don't wanna start these popups again at the moment. All I know is it told me (using a LOT of slang, heh) to download DriveCleaner as my PC was infected with spyware (REALLY?!).

Now, what's been happening is I randomly get popups when I browse my PC with explorer or go to any sites in IE. I have kinda fixed this in my own way by using the IE Tab extension in Firefox for sites that need IE and FreeCommander for browsing my PC.

To answer your questions, HJT is the latest version and is currently in F:\Security, along with all Merjin's other apps (good to have them on hand and all that). I keep them zipped until I need them, then I unzip, use, delete.

As for this being to do with the registry, I really don't think it is.. the files look like they have been put there by the SYSTEM account (I can't delete them, I can't change their attributes, all I can do is look at them)

I just did a RegSeeker scan, found something... kinda. vtstt.dll, the file I suspect is causing this for the most part, has 2 entries.
HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\vtstt
and an HKCR entry.

I have no reason to use ATF-Cleaner, CCleaner does the exact same thing, heh.

See what you can do with that info and thanks for that Image Resizer link, that should be VERY handy. Beats opening Photoshop every time I wanna resize something.

AMD Athlon XP 2000+
512MB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

"See what you can do with that info"
Not much, if you have been to the HijackThis log file analysis ( online ) site & googled the problems it found & taken the necessary action, you should be OK. Below is how.

vtstt
http://www.google.com.au/search?hl=...
Atribune spy removers
http://www.atribune.org
http://www.atribune.org/content/vie...

"I have no reason to use ATF-Cleaner, CCleaner does the exact same thing, heh"
Try it & see what it finds, it's a no install program. I run 13 different cleaners when I have a problem comp.

Ok, I think I've nearly fixed this. I ran that SysProtect remover tool (accidentally)... All of a sudden, I can mess with those files! I can change attributes, delete, whatever! So I'm backing them up. I've zipped them, moved the zip to C:\Backups and I am now done with all the stuff I was doing- I am free to kill explorer. So, think it's ready to be removed, or is there anything else that needs to be done? (sorry about asking so many questions, I really need this PC fully working... don't want to take any chances)

AMD Athlon XP 2000+
512MB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Argh. Ok, it's definitely vtstt.dll causing this, as it creates a .tmp file when I get one of the popups. And I STILL can't delete it. I've killed all the other files that were related to it, this is the only one left. Any ideas?

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Use a program called Move On Boot.

http://www.softwarepatch.com/softwa...

Larry

Today seems like a good day to chew through the restraints.

ARGH. MoveOnBoot couldn't move it, apparently. It's still there and as annoying as usual. Though, I didn't get a popup when entering C:\WINDOWS and I normally do.

I'm out of ideas. I seriously cannot think of ANYTHING that could kill this...

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Wow. I couldn't even delete it in Safe Mode with or without Explorer.exe running...

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Got to this site and scroll down to Post#12. (Numbers are on the left.) http://www.geekstogo.com/forum/vtst...

You may have to go up few posts to follow the thread.

Larry

Today seems like a good day to chew through the restraints.

I saw that thread while googling, thing is, that entry isn't there... at all. I have no 020 entries. But, I do have access to StartUpList, which has a WinLogon Autoruns section - it's listed there. I have used the Regedit jump, I'm now looking at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\vtstt"... Safe to remove that, reboot and delete?

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Yes. And also search your registry for entry of the same name.

If found delete and reboot.

Larry

Today seems like a good day to chew through the restraints.

GOOD LORD...

If I delete the entries, they're back within SECONDS... This is just nuts... I deleted them, rebooted and they were there again... so I deleted them, refreshed and they were back...

Still, it seems the popups have stopped completely, I guess one of the other DLLs it installed was causing that.

The registry entries are;
HKEY_CLASSES_ROOT\CLSID\{91CE0DAC-C9B1-4D76-961C-73853D15144F}\InprocServer32
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtstt

There's no way to REMOVE registry entries on shutdown, is there?

I'm sick of stupid Winfixer crap like this, it's just so damn ANNOYING... Though it could be an ok idea to just leave it there... By the looks of things, it's not actually DOING anything, 'cept taking up 677 KB. I'm not seeing any strange behaviour, no random net usage (Got Uptimer4 running, no spikes whatsoever, other than the normal echo requests)... Right now, I guess it's kinda.. err... "castrated".

(no, I don't WANT to leave it there, but by the looks of things, it's not going anywhere any time soon)

Also, thanks guys, you've been a MASSIVE help, even I know my questions get annoying :P

AMD Athlon XP 2000+
512MB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Did you follow Post #4 in that link I sent you?

(Post #'s on the right not on the left like I said before.)

And if you had, you may want to try the Spysweeper free trial to identify other files that may be causing you grief.

Larry

Today seems like a good day to chew through the restraints.

Well then. I have NO idea how I missed that. Unfortunately, I'm really busy at the moment, so I can't do anything about it for a few hours (hell, I shouldn't even be on my PC right now :P).

I'll post back when that's done.

AMD Athlon XP 2000+
512MB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Hah, sorry, I fell asleep. I have just run Vundofix in safe mode, I'm waiting for the PC to reboot (on my laptop). It looks like it's gone! The BHO and Winlogon notify turned up in HJT after it did the scan, they've obviously been removed.

Also, at this point, I'd like to say how much I hate the default windows VGA driver.

So thanks. If you hadn't posted, I probably would have never noticed that post.

If it's still there in any way, I'll post again, but really, it looks like this is resolved. The files are gone, I didn't get popups browsing to system32 and Explorer (along with everything else) loaded REALLY quick. I had logged into Xfire within 2 minutes of windows loading (according to Uptimer).

So once again, thanks. You've saved me a lot of trouble :D

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

Glad I could help out.

Let me know if it worked for sure.

Larry

Today seems like a good day to chew through the restraints.

Well, it looks like everything is perfect. I haven't had any popups at all.

Thanks again :D

AMD Athlon XP 2000+
1GB RAM
120GB Maxtor DiamondMax Plus/Seagate Barracuda 60GB HDD
Nvidia GeForce 6600LE 256MB
16x DVD-ROM
42x CD-RW
16x External DVD RW

You're welcome.

Larry

Today seems like a good day to chew through the restraints.

another program that i highly recommend is "Stopzilla" it is shareware if you are willing to pay for it.

By the way don't say my posts might be dangourus. i have helped alot of people and resolved there problembs

Thank you
Mr Saunders

____________________
just helping