Home > Please Help > Please Help! S.clkoptimizer Popups!

Please Help! S.clkoptimizer Popups!

I've ran AdAware SE (with VX2 plugin), Spybot, Norton Internet Security, CWShredder, a couple of online virus scans & an online trojan scan. It has since been updated again and the old find_it will not find all files yet. or read our Welcome Guide to learn how to use this site. This is the most simple site I know of that demonstrates the problem.

I am also getting a lot of popup installs from websites I'm not even on aasking me if I want to install something. Click on the "Firedfox" link. Joe. Save it as file name: "fixme.reg" (not including the quotes).

I found this on http://www.valueweb.com/promos/websitehosting6.htm Comment 146 Joe Kueser 2004-10-07 05:44:01 PDT Here's the code called from drudgereport.com when you click a link var date_ob=new Date(); document.cookie='h2=o; path=/;'; if(document.cookie.indexOf('e=llo') <= 0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041110 Firefox/1.0 Comment 185 Matt 2004-11-11 14:32:45 PST http://www.bratzpack.com/index2.asp Opens a new windows with an ad for a video Comment 186 Jiveus 2004-11-11 My Outlook 2000 will open fine and all looks normal until I go to download e-mail and it can't seem to connect to my ISP server.

Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLLO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exeO4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exeO4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exeO4 - HKLM\..\RunServices: [LoadPowerProfile] Anyway, this happens pretty consistently when I visit the Onion, so I think it's very reproducible. Close ALL windows except HijackThis and click "Fix checked" R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\TEMP\INS6174.TMP Comment 156 Ng Ming Hong 2004-10-18 00:55:02 PDT The testcase is a duplicate of bug 209134.

Preferable to your desktop.Locate and double-click the Find-Qoologic.bat file to run it.Wait until a text opens. Can somebody explain the following: 1) What is being done about the bug 2) Why separate bugs shouldn't be raised by people with test-cases 3) Why it isn't embaressing that Firefox's Register now! http://www.bleepingcomputer.com/forums/t/8906/hijack-results-please-help-me/ Notice how the js function is defined in the head, and is prepared for use in the body onunload.

Comment 21 Phil Randal 2004-08-03 01:41:52 PDT http://www.empireonline.co.uk/site/incinemas/reviewinfull.asp?fid=10175 just did it to me. Still can't get rid of those #$%$# 01's!Logs follow:Logfile of HijackThis v1.99.1Scan saved at 2:09:22 PM, on 3/23/05Platform: Windows 98 SE (Win9x 4.10.2222A)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\MDM.EXEC:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXEC:\PROGRAM Warning! Comment 127 James Bailey 2004-09-21 09:21:11 PDT This Javascript causes the openings.

Do not remove anything unless you are sure you know what you're doing. ------- System Files in System Directory ------- Volume in drive C has no label Volume Serial Number is Comment 154 Steve Foxe 2004-10-16 05:14:38 PDT This site will open a new window when closing the tab, however if it's the only site in a window and closing that window Thanks a lot Joe! Comment 152 hlascs 2004-10-15 11:22:06 PDT Pop-up when closing the website: http://www.windowsxpatoz.com/cgi-bin/miscellaneous/index.cgi Comment 153 tom.williams 2004-10-15 14:10:09 PDT I'm running into some adult sites with popups that appear when I close

Comment 8 James Slaughter 2004-07-31 13:33:10 PDT http://www.yzzerdd.com/ spawns popups via the shockwave object. Comment 37 Simon Morgan 2004-08-08 05:54:14 PDT http://www.dabs.com/uk The offending line is: at the bottom of the HTML. Comment 63 JB 2004-08-17 13:25:12 PDT using Firefox.9.3 / non installer version for Linux Go to www.cbssports.com & www.cbssportsline.com click on a link and go to a page and you get I also double clicked on tb_setup, (I think it was that one anyway, can't remember fully) and it showed the location as being C:\\WINDOWS\system32\vqirik.exe.

AND WE WERE SO CLOSE!!! Is there anywhere with a good tutorial on killbox? Also post the FindIt log and a new HijackThis log.The last thing is: please check to make sure your Recycle Bin is working properly. Several functions may not work.

Nothing is getting rid of it. The last couple of times that I ran my AdAware SE program, I showed that I had infections from CoolWebSearch & VX2. At the bottom, click Show advanced settings.

anyway, here are the logs hijack this (once again, cleaned out, like my original post) Logfile of HijackThis v1.99.0 Scan saved at 10:22:38 AM, on 1/5/05 Platform: Windows 98 SE (Win9x

Advertisement ballardp Thread Starter Joined: Mar 9, 2005 Messages: 5 Trying to fix urllogic popup problem (my Norton AV isn't working right either). C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow desktop.ini Service Manager.lnk uptd.exe Wireless Sync Client.lnk User Startup: C:\Documents and Settings\lfairc01.MMS\Start Menu\Programs\Startup . .. Total of file sizes: 1,362,624 bytes 1.30 M ------------ Strings.exe Qoologic Results ------------ C:\WINDOWS\hggtgn.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net, -------------- Strings.exe Aspack Results ------------- ----------------- HKLM Run Key ------------------ -------------- Strings.exe Umonitor Results ------------- REGEDIT4

I actually spent a day reviewing some of your other VX2/Win98 threads and was able to figure out what to do. It will then ask if you want to reboot now. Username Forum Password I've forgotten my password Remember me This is not recommended for shared computers Sign in anonymously Don't add me to the active users list Privacy Policy

Sign Help us fight Enigma Software's lawsuit! (Click on the above link to learn more) Become a BleepingComputer fan: FacebookFollow us on Twitter!

This is blocked properly (again, with that darned yellow bar@!!) in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040826 Firefox/0.9.1+ (bangbang023). Do you have a link to the NT version of the findit?