1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijack This Log...Pop-ups suddenly started

Discussion in 'Virus & Other Malware Removal' started by parrotplay, Apr 10, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. parrotplay

    parrotplay Thread Starter

    Joined:
    Apr 13, 2003
    Messages:
    1,299
    Hi. I suddenly started being inundated with pop-up ads, some taking up the entire screen and cannot find a way you, unless I use the Task Manager in my XP, which then takes me out of everything, not just that ad closes. Many of these ads say Microsoft on them. Am sure you know...this is one ad right after the next and is so annoying. Can you see anything that may be the problem for this, on my Hijack This Log I just ran? Prior to running this, I ran Spybot and also Adaware 6, both found items that I took care. I usually have none. Not 10, 20 or more. I have Spyware Guard running in the background, Browser HiJack Blaster, X-Cleaner, Spyware Blaster and the Google Pop-up stopper toolbar. AND I just kicked AOL to the curb, finding a much more satisfactory ISP, deleting and uninstalling as much as I could find on AOL. I am not able to uninstall this game control that was installed without me realizing it, just wanted to play a game, it is Wild Tangent. That may be the problem, I don't know. Also, while browsing in Windows to change an icon, I found an item, with a bear, named, "Set De Bug". Is this a problem, what is it?
    Seems to me that with all these tools on my side, so many ads and the like would not be able to get through to me, somehow they are. Please let me know if you found any problems on the HijackThis list. And..any suggestions to what i can do, more than I already am, to keep my computer secure. Thank you for your advice and help with this, it is very much appreciated. parrotplay

    Logfile of HijackThis v1.97.7
    Scan saved at 3:59:23 AM, on 4/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\RAMfreer\RAMfreer.exe
    C:\Program Files\Turbo\arteraui.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Turbo\artera.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\LEEANN MILLER\My Documents\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotjjo.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hotjjo.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by hotjjo
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [RAMfreer] C:\Program Files\RAMfreer\RAMfreer.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.hotjjo.net
    O16 - DPF: Dominoes by pogo - http://domino.pogo.com/applet/domino/domino-ob-assets.cab
    O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet/euchre/euchre-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire46.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet/hearts/hearts-ob-assets.cab
    O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke02.pogo.com/applet/videopoker2/jokerswild-ob-assets.cab
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Mah Jong Garden by pogo - http://mahjong.pogo.com/applet/mahjong/mahjong-ob-assets.cab
    O16 - DPF: Pirate's Gold by pogo - http://swashbucks06.pogo.com/applet/piratesgold/piratesgold-ob-assets.cab
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: SciFi Slots by pogo - http://scifi.pogo.com/applet/slots/scifi-ob-assets.cab
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Sweet Tooth TM by pogo - http://sweet03.pogo.com/applet/sweettooth/sweettooth-ob-assets.cab
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: The Sims Pinball by pogo - http://simball02.pogo.com/applet/simball/simball-ob-assets.cab
    O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
    O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet/jumbee/jumbee-ob-assets.cab
    O16 - DPF: Turbo 21 TM by pogo - http://turbo07.pogo.com/applet/turbo21/turbo21-ob-assets.cab
    O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass/worldclass-ob-assets.cab
    O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{40D3D3F2-A5E0-440D-A51F-2C3A062D7A98}: NameServer = 66.81.0.251 66.81.0.252
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  3. parrotplay

    parrotplay Thread Starter

    Joined:
    Apr 13, 2003
    Messages:
    1,299
    Hi..thanx for your help with this. I do have Messenger disabled in services. I do not believe I have a firewall set up. I did install the Google Toolbar with the Popup stopper, got that advice from TSG! I do not know what that bear icon with set debug means...do you? I recall a hoax a while back involving the same icon, not sure if this was the one, or if this is an actual concern I should have. On the HijackThis Log, am concerned with the items I questioned in my post, as the info that came up said they were questionable, if being used for used to track, report, etc. The one file that has "Wildapp" in its contents, has me curious as to what that is, because on a game, I downloaded this control box unknowingly, that is now in my Control Panel and cannot be removed. The directive to remove was to..reinstall ALL the downloads and then, uninstall, as they added so much to my system and ads, I declined to do that. I am glad that nothing has its grips on me. Maybe the Spybot/Adaware scans wiped out whatever that may have been there. If you know what those entries may be in the Log, let me know. I am not a super-tech like many of you are, but am trying to learn what I can. Thanx for your help and advice...and have a Happy Easter...Lee
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The "bear" icon is legit; you can always check these for MS copyrights by holding the mouse over it or right clicking and selecting Properties > version.

    Can you vouch for this program?

    O4 - HKLM\..\Run: [RAMfreer] C:\Program Files\RAMfreer\RAMfreer.exe

    I can tell you that such programs are quite useless as Windows will take care of this on its own.

    And did you check for evidence of the look2me parasite? This is one that doesn't necessarily show up in a Scanlog.

    If you have a program in Add/Remove programs that does not remove, it may simply be a "leftover". Does the actual program folder for it exist? You could delete that manually. To remove the item from add/remove programs, run regedit and navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Look for the item under the "uninstall" key in the left hand pane. It can be right clicked on and deleted. But this in no way is involved in your pop up problem.
     
  5. parrotplay

    parrotplay Thread Starter

    Joined:
    Apr 13, 2003
    Messages:
    1,299
    Hi, Rollin'. Thank you again for your help. The Ramfreer is a small app that I keep running, was recommended because I keep getting "not enough memory" when trying to access certain games (a computer-techie friend of mine attempted to in increase my Ram to 256, now 128...neither chip would allow my system to work, so hed to go back to the 128 chip..He said both worked on similar systems he has. Emailed Dell, who made my system, never heard from them...proprietership? hmmm....). Thats the story on the Ramfreer and seems to help a little. the Wild Tangent control panel I said would not delete off my actual control panel, is not in REGEDIT first place I went when it would not just delete completely from add/remove. part, So I went to delete it from registry. Did it there. But that control panel of theirr..still is solid as a cyber rock can be. That bug you refer to, the look to me parasite, I have not heard of. How do I find out if I got that proverbial monkey on my back or not? Thanx again...The popup adds I a having, just want them to stop annoying me. And am having some unusual for me problems, like now, when I go back and type something to correct a letter I missed or whatnot, the word is not pushed but types over the word instead...it is very hard, have to find out what Idid to cause that.And...the Icon to lanch my dial-up acess, now will not respond, have to go into a program or something using internet access for my ISP to dial out, was working fine less than an hour ago. And only turned it off, back on. Something seems to be up. Thank you for all your help, keep it coming...!! parrotplay/Leeann
     
  6. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Parrotplay/Leeann :)

    Did you download and follow Rollin'Rog's advice on downloading "the killbox"? I'm referring to post #2.
     
  7. parrotplay

    parrotplay Thread Starter

    Joined:
    Apr 13, 2003
    Messages:
    1,299
    Finest/Rollin... I did download that. Extracted it. Now what do I do with these files. I get confused when I etract something and more than a single file is involved...I read the read me file, but don't know how to access the info you are speaking about. Can you please fill me in? Thanx for even more help. Leeann Miller'shisteig b
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    When you run killbox.exe you will see a tab "find msg {} dll".

    Select that. Do not select anything in there to delete, but save the log it creates and then open that and then copy/paste the kill.log here.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218971

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice