1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Google Popup Blocker - No Work No More

Discussion in 'Virus & Other Malware Removal' started by MsPCGenius, Sep 8, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. MsPCGenius

    MsPCGenius Thread Starter

    Joined:
    Apr 24, 2000
    Messages:
    763
    My system crashed and I had to reload my apps onto a new PC. On my old PC, I was successfully using the Google toolbar with Popup Blocker engaged. I had vitually no pop-ups.

    On the new one however, same OS (W2000), the Google Popup Blocker does not seem to be functioning nearly as well.... I'm getting pop-ups all the time. :mad:

    Any suggestions? :confused:
     
  2. GrumpyHermit

    GrumpyHermit

    Joined:
    May 23, 2004
    Messages:
    464
    When you installed to a new PC, did you go onto the internet without a working firewall and antivirus? If so, you probably got infected with spy/adware, and you'll need to get your system cleaned up.

    Some things you'll need to do first:

    1. Go to Windows Update website and download and install all critical Windows updates.

    2. If you aren't running an antivirus, get one. If you don't wish to pay for one, there are some free ones available, see the sticky threads on the Security forum for a list of websites.

    3. You'll need to have a working firewall. A good free one is ZoneAlarm.

    4. You'll need to download Ad-Aware and Spybot Search & Destroy. Install them, update them, and run them, deleting everything that they find.

    5. You'll need to download Hijack This! Make up a subfolder in your My Documents folder and name it Hijack This! and download the program into this folder. Run the program, then save everything it finds to a Notepad file; copy those results in your clipboard and paste them in a reply to this thread, and one of the experts will walk you through the cleanup. DON'T delete anything using Hijack This!, wait until you get advice.

    All of the programs I mentioned above can be found in the Security forum, in the sticky thread called How Did I Get Infected In The First Place?

    Good Luck!
     
  3. MsPCGenius

    MsPCGenius Thread Starter

    Joined:
    Apr 24, 2000
    Messages:
    763
    This is my office PC so #1-#3 are all in place. I ran Adaware and Spybot this morning. Here is the HiJack log following that:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:06:59 AM, on 9/8/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\WINNT\system32\cusrvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\hkcmd.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\NALDESK.EXE
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\WINNT\webshots.scr
    C:\Novell\GroupWise\GrpWise.exe
    C:\Novell\GroupWise\Notify.exe
    C:\WINNT\System32\svchost.exe
    C:\Downloads\Spyware Tools\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hi.mcg.edu/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.mcg.edu:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.hims.mcg.edu;www.hims2.mcg.edu;...edu;alpha2.mcg.edu;*.mcg.edu;hi2.idx.mcg.edu; 158.93.20.240;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.web2host/wma/mcghost2.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O1 - Hosts: 66.155.50.241 www.mcghealthcare.org # MCG HealthCare
    O1 - Hosts: 158.93.35.16 www.web2host.mcg.edu
    O1 - Hosts: 158.93.12.43 proxy.mcg.edu
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32N.dll
    O12 - Plugin for .lst: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32N.dll
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32N.dll
    O16 - DPF: {120136E3-6AC5-11D0-95E6-00C04FD8A1B0} (Winsurf Mainframe Access Launcher Control) - http://web2host.mcg.edu/wma/wmald32.cab
    O16 - DPF: {18D0680E-E927-11D3-B34E-00C04FAC4E43} (IDXssl Class) - http://idx.mcg.edu/IDXML/idxssl.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38187.2621412037
    O16 - DPF: {B50B4ECE-666C-11D1-8DB2-000000000000} (IDX TermWin Control) - http://idx.mcg.edu/IDXICW/IDXM/ICW.cab
    O16 - DPF: {C0FFB157-3B62-477B-8DEA-203247B88C04} (IDXcsvr Control Class) - http://idx.mcg.edu/IDXML/idxcsvr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://clusterl.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - http://idx.mcg.edu/IDXWeb/IDXWF/Context/IDXTools.cab
    O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://idx.mcg.edu/IDXWEB/IDXWF/Context/IDXBrowser.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{23478D1F-16AA-41D6-8814-F909A54B429D}: NameServer = 158.93.1.117,158.93.1.7
    O17 - HKLM\System\CS1\Services\Tcpip\..\{23478D1F-16AA-41D6-8814-F909A54B429D}: NameServer = 158.93.1.117,158.93.1.7
    O17 - HKLM\System\CS2\Services\Tcpip\..\{23478D1F-16AA-41D6-8814-F909A54B429D}: NameServer = 158.93.1.117,158.93.1.7
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    [​IMG] Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

    Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.computercops.biz/downloads-cat-14.html

    Then:

    1 >> Restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    2 >> In Safe Mode run the CoolWebShredder and have it "fix" detected problems. Then run HijackThis and check and "fix" the following entries:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

    3 >> While in Safe Mode delete the WinTools folder in c:\Program Files\Common Files

    Additional cleanup instructions: Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

    Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them


    Reboot and post a new HijackThis Scanlog, but use the latest version (1.98.2) available here.

    Also I will move this to the Security forum.

    http://www.net-integration.net/tools/hijackthis.html

    By the way, there is a new Ad-aware version (SE), if you haven't used that you should:

    Ad-Aware Home Page


    http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe

    The VX2 plugin will be available in the "add-ons" window once installed and is run from there.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271594

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice