0

Thank you craperjack and crunchie for assisting miepmiep that i could find help for such similiar problem.

I am having problem with the pop up of poker too, exactly, the same. Search for Poker Online. I have initially messed around with my regedit file to try to remove it. I got no idea how to get rid of it. I used Lavasoft Personal SE, adware remover.

However, the problem still persist.

Logfile of HijackThis v1.98.2
Scan saved at 9:49:17 AM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\devldr32.exe
C:\Download\ad-aware\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvdme32.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [E981F653] C:\WINDOWS\system32\ctLinra.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [FDBF3A4E] C:\WINDOWS\system32\dsntcer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [kbdsw] C:\WINDOWS\System32\kbdsw.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [FDBF3A4E] C:\WINDOWS\system32\dsntcer.exe
O4 - HKCU\..\Run: [E981F653] C:\WINDOWS\system32\ctLinra.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PD - {B87C54D9-69CC-4DF6-847C-2C7CABC992E5} - C:\Program Files\Popup Defender\pd.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: DigiChat Applet - http://host4.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.nuker.com/products/swn2004/installers/default/SpyWareNukerInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102059788113

Hope to get some help.

2
Contributors
9
Replies
10
Views
12 Years
Discussion Span
Last Post by DMR
0

OK, here we go...

1. SpyKiller, BestPopUpKiller, and SpyHunter all fall into the category of "dubious" programs, in that they are unreliable and at the very least return "false positive" findings as a way of enticing users to buy the commercial versions of the programs. You should uninstall them and use the trusted, recommended (and free) alternatives instead. For more information on bogus vs. legit "spyware" utilities, please visit this site:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Links to some of the reputable programs (of which Lavasoft's Ad Aware is one) can be found in my sig below.

2. " C:\Program Files\Internet Explorer\IEXPLORE.EXE"

That entry in your HJT log indicates that you had at least on instance of Internet Explorer running when you ran HijackThis. HJT cannot fully perform its fixes unless all instances of your web browsers are closed. Please make sure that is the case before proceeding.


* -> Before doing the following, you should probably disable XP's System Restore function. Instructions for doing so (and an explanation of why you should) can be found here.

3. Once you have closed all instances of all web browsers, have HijackThis fix:

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvdme32.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [E981F653] C:\WINDOWS\system32\ctLinra.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [FDBF3A4E] C:\WINDOWS\system32\dsntcer.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKCU\..\Run: [kbdsw] C:\WINDOWS\System32\kbdsw.exe
O4 - HKCU\..\Run: [FDBF3A4E] C:\WINDOWS\system32\dsntcer.exe
O4 - HKCU\..\Run: [E981F653] C:\WINDOWS\system32\ctLinra.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: DigiChat Applet - http://host4.digichat.com/DigiChat/...s/Client_IE.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.nuker.com/products/swn20...erInstaller.exe


4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Locate and delete the following files:
C:\windows\system32\kalvdme32.exe
C:\WINDOWS\system32\ctLinra.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\dsntcer.exe
C:\WINDOWS\System32\kbdsw.exe
C:\WINDOWS\system32\dsntcer.exe
C:\WINDOWS\system32\ctLinra.exe

- Locate and delete the following folders entirely:
C:\Program Files\Enigma Software Group
C:\Program Files\Windows TaskAd
C:\Program Files\Common Files\tsa
C:\Program Files\SpyKiller
C:\Program Files\BestPopUpKiller

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.


- Empty your Recycle Bin.

- Reboot normally.


5. Post a fresh/new HijackThis log.

0

Thank you DMR for helping me with the "search for online poker" pop up that goes up every 1 minute. At this moment, i am not experiencing any such pop up. Thanks for helping me keep my computer clean from pop up.

Excellent help and precise step by step guide.

0

Glad we could help! :)


To lessen your chances of reinfection, you should probably download and install SpywareBlaster and SpywareGuard as a measure of protection. I'd also suggest that you use SpyBot Search & Destroy in conjunction with Ad Aware. SpyBot is very similar in function to Ad Aware, but will sometimes catch things that Ad Aware misses; using the two programs together is a Good Idea.

Download links for a three of the above utilities are in my sig file below.

0

ACK! It's back again. By the way, the last time i delete some of the files some could not be found even when i show hidden file + protected to be shown.

here is the new hijack log, hope to find further help. It's back again. I have not done any surfing but only check e-mail. I had not used the computer few days back either, so i didn't really get to fully test it out for a whole day.

Logfile of HijackThis v1.98.2
Scan saved at 4:41:25 AM, on 8/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuclient.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Download\ad-aware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxxv32.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102059788113

0

Crud- I missed one in my earlier post...

1. Have HJT fix the following:

" O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe"


2. Although the actual filename has morphed slightly (in your last log it was named "kalvdme32.exe"), this gremlin is still present:

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxxv32.exe

** Note: That file may change its name slightly again, but this particular infection has a pattern: the filename will always be kalvxyz32.exe, where xyz are the only letters of the name which change.

Have HJT fix that entry, reboot into Safe Mode, delete wuclient.exe and kalv(whatever)32.dll, and empty your trash.

0

Can't thank you enough, i now learnt more about removing the "gremlin" ;) Cheers!

0

Again- you're welcome. Now let's hope it worked...

The kalvxyz32.dll bit seems like it might be related to the EliteToolbar pest that's making the rounds, but there isn't really a heck of a lot of definitive info available on the beast; I was only able to confirm the (psuedo-random) pattern of the filename change yesterday or the day before.

Let us know if it crops up again please.

0

It's been a while, and i would like to let you know that the comp i was using has no longer experience pop ups problem.

Thanks again.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.