Hijack This Log...Pop-ups suddenly started

[parrotplay]

Hi. I suddenly started being inundated with pop-up ads, some taking up the entire screen and cannot find a way you, unless I use the Task Manager in my XP, which then takes me out of everything, not just that ad closes. Many of these ads say Microsoft on them. Am sure you know...this is one ad right after the next and is so annoying. Can you see anything that may be the problem for this, on my Hijack This Log I just ran? Prior to running this, I ran Spybot and also Adaware 6, both found items that I took care. I usually have none. Not 10, 20 or more. I have Spyware Guard running in the background, Browser HiJack Blaster, X-Cleaner, Spyware Blaster and the Google Pop-up stopper toolbar. AND I just kicked AOL to the curb, finding a much more satisfactory ISP, deleting and uninstalling as much as I could find on AOL. I am not able to uninstall this game control that was installed without me realizing it, just wanted to play a game, it is Wild Tangent. That may be the problem, I don't know. Also, while browsing in Windows to change an icon, I found an item, with a bear, named, "Set De Bug". Is this a problem, what is it?
Seems to me that with all these tools on my side, so many ads and the like would not be able to get through to me, somehow they are. Please let me know if you found any problems on the HijackThis list. And..any suggestions to what i can do, more than I already am, to keep my computer secure. Thank you for your advice and help with this, it is very much appreciated. parrotplay

Logfile of HijackThis v1.97.7
Scan saved at 3:59:23 AM, on 4/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\RAMfreer\RAMfreer.exe
C:\Program Files\Turbo\arteraui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Turbo\artera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\LEEANN MILLER\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotjjo.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hotjjo.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by hotjjo
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RAMfreer] C:\Program Files\RAMfreer\RAMfreer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hotjjo.net
O16 - DPF: Dominoes by pogo - http://domino.pogo.com/applet/domino/domino-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet/euchre/euchre-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire46.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet/hearts/hearts-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke02.pogo.com/applet/videopoker2/jokerswild-ob-assets.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong.pogo.com/applet/mahjong/mahjong-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://swashbucks06.pogo.com/applet/piratesgold/piratesgold-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://scifi.pogo.com/applet/slots/scifi-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweet03.pogo.com/applet/sweettooth/sweettooth-ob-assets.cab
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: The Sims Pinball by pogo - http://simball02.pogo.com/applet/simball/simball-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet/jumbee/jumbee-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo07.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/applet/whackdown/whackdown-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass/worldclass-ob-assets.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40D3D3F2-A5E0-440D-A51F-2C3A062D7A98}: NameServer = 66.81.0.251 66.81.0.252

 

[Rollin' Rog]

I don't see anything in the Scanlog to explain the pop-ups. Could these be "messenger" ads? Do you have the XP firewall enabled, or have you disabled the "messenger" service?

http://support.microsoft.com/default.aspx?scid=kb;en-us;330904

Also to search for possible evidence of a "look2me" parasite, run the "kill box" you can download here:

http://download.broadbandmedic.com/VbStuff/KillBox.zip

Select "Find msg{}.dll" and save and copy/paste a log of anything it finds.

 

[parrotplay]

Hi..thanx for your help with this. I do have Messenger disabled in services. I do not believe I have a firewall set up. I did install the Google Toolbar with the Popup stopper, got that advice from TSG! I do not know what that bear icon with set debug means...do you? I recall a hoax a while back involving the same icon, not sure if this was the one, or if this is an actual concern I should have. On the HijackThis Log, am concerned with the items I questioned in my post, as the info that came up said they were questionable, if being used for used to track, report, etc. The one file that has "Wildapp" in its contents, has me curious as to what that is, because on a game, I downloaded this control box unknowingly, that is now in my Control Panel and cannot be removed. The directive to remove was to..reinstall ALL the downloads and then, uninstall, as they added so much to my system and ads, I declined to do that. I am glad that nothing has its grips on me. Maybe the Spybot/Adaware scans wiped out whatever that may have been there. If you know what those entries may be in the Log, let me know. I am not a super-tech like many of you are, but am trying to learn what I can. Thanx for your help and advice...and have a Happy Easter...Lee

 

[Rollin' Rog]

The "bear" icon is legit; you can always check these for MS copyrights by holding the mouse over it or right clicking and selecting Properties > version.

Can you vouch for this program?

O4 - HKLM\..\Run: [RAMfreer] C:\Program Files\RAMfreer\RAMfreer.exe

I can tell you that such programs are quite useless as Windows will take care of this on its own.

And did you check for evidence of the look2me parasite? This is one that doesn't necessarily show up in a Scanlog.

If you have a program in Add/Remove programs that does not remove, it may simply be a "leftover". Does the actual program folder for it exist? You could delete that manually. To remove the item from add/remove programs, run regedit and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Look for the item under the "uninstall" key in the left hand pane. It can be right clicked on and deleted. But this in no way is involved in your pop up problem.

 

[parrotplay]

Hi, Rollin'. Thank you again for your help. The Ramfreer is a small app that I keep running, was recommended because I keep getting "not enough memory" when trying to access certain games (a computer-techie friend of mine attempted to in increase my Ram to 256, now 128...neither chip would allow my system to work, so hed to go back to the 128 chip..He said both worked on similar systems he has. Emailed Dell, who made my system, never heard from them...proprietership? hmmm....). Thats the story on the Ramfreer and seems to help a little. the Wild Tangent control panel I said would not delete off my actual control panel, is not in REGEDIT first place I went when it would not just delete completely from add/remove. part, So I went to delete it from registry. Did it there. But that control panel of theirr..still is solid as a cyber rock can be. That bug you refer to, the look to me parasite, I have not heard of. How do I find out if I got that proverbial monkey on my back or not? Thanx again...The popup adds I a having, just want them to stop annoying me. And am having some unusual for me problems, like now, when I go back and type something to correct a letter I missed or whatnot, the word is not pushed but types over the word instead...it is very hard, have to find out what Idid to cause that.And...the Icon to lanch my dial-up acess, now will not respond, have to go into a program or something using internet access for my ISP to dial out, was working fine less than an hour ago. And only turned it off, back on. Something seems to be up. Thank you for all your help, keep it coming...!! parrotplay/Leeann

 

[FinestRanger]

Parrotplay/Leeann

Did you download and follow Rollin'Rog's advice on downloading "the killbox"? I'm referring to post #2.

 

[parrotplay]

Finest/Rollin... I did download that. Extracted it. Now what do I do with these files. I get confused when I etract something and more than a single file is involved...I read the read me file, but don't know how to access the info you are speaking about. Can you please fill me in? Thanx for even more help. Leeann Miller'shisteig b

 

[Rollin' Rog]

When you run killbox.exe you will see a tab "find msg {} dll".

Select that. Do not select anything in there to delete, but save the log it creates and then open that and then copy/paste the kill.log here.