I have tried everything I know to get rid of popups. Need Help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

onely

Thread Starter
Joined
Apr 17, 2001
Messages
281
Hello,

My daughter downloaded msn plus the other day and ever since I cannot get rid of popups and things added to my favorites that won't go away. I uninstalled msn plus.

I have updated and ran spybot. The same things keep coming back .

I have updated and ran adaware..I can get down to 4 things.

My hijack log shows this.

Logfile of HijackThis v1.99.1
Scan saved at 6:02:09 AM, on 16/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Irene\Desktop\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.aliant.net/home.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Site platform] C:\DOCUME~1\Irene\APPLIC~1\FILMTR~1\CampDeaf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




What the heck is campdeaf.exe.

Webtrends live seems to be the big culprit.

I would appreciate your help. Thank you.
 

onely

Thread Starter
Joined
Apr 17, 2001
Messages
281
Norton antivirus finds no viruses but finds at risk 180 search assistant
 

onely

Thread Starter
Joined
Apr 17, 2001
Messages
281
I did a norton anti virus scan in safe mode. I was able to delete 180 search assistant there. Things seeem to be ok right now. Hopefully it will not return after a few re boots.

Thanks anyway for your help.
 

onely

Thread Starter
Joined
Apr 17, 2001
Messages
281
What is a LOP infection?
Here is my log. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 9:12:53 AM, on 17/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Irene\Desktop\New Folder (3)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.aliant.net/home.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Messenger Plus!, if installed to include the 'sponsor program', will install adware on your computer that generates pop up windows. The Sponsor Program will also change your home page, your search engine settings, place numerous links in IE favorites (including online casino and gambling links) and place more links on your desktop. The search toolbar that is installed cannot be turned off. The pop up advertising windows will appear even if you are running IE's pop-up blocker. This is because the Sponsor Program adds its advertisement URLs to the pop-up blocker exclusion list. That's what we call a LOP infection.

I'd like to make sure all of it is gone.

Run ActiveScan online virus scan:
http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
Save the results from the scan and post them here.
 

onely

Thread Starter
Joined
Apr 17, 2001
Messages
281
hello,
here is the scan.I will wait for your response before I go ahead and delete.
Thank you


Incident Status Location

Adware:adware/block-checker Not disinfected C:\WINDOWS\SYSTEM32\ustart.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINDOWS\SYSTEM32\f3PSSavr.scr
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Irene\Local Settings\Temp\Cookies\[email protected][2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Irene\Local Settings\Temp\Cookies\[email protected][2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Irene\Local Settings\Temp\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Local Settings\Temp\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Local Settings\Temp\Cookies\[email protected][2].txt
Adware:Adware/Dyfuca Not disinfected C:\Documents and Settings\Irene\Local Settings\Temp\cfin[cfin]
Adware:Adware/Dyfuca Not disinfected C:\Documents and Settings\Irene\Local Settings\Temp\cfout.txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][3].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][3].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][4].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][3].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][3].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][4].txt
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Download KillBox here: http://www.downloads.subratam.org/KillBox.exe
Save it to your desktop.
DO NOT run it yet.


Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

* Double-click on Killbox.exe to run it.

Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

C:\WINDOWS\SYSTEM32\ustart.exe
C:\WINDOWS\SYSTEM32\f3PSSavr.scr
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
C:\Program Files\MSN Messenger\riched20.dll


Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confirmation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to Tools > Delete Temp Files
In the window that pops up, put a check by ALL the options there except these three:
XP Prefetch
Recent
History

Now click the Delete Selected Temp Files button.
Exit the Killbox.

Empty out this folder: C:\Documents and Settings\Irene\Local Settings\Temp

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new log.
 

onely

Thread Starter
Joined
Apr 17, 2001
Messages
281
I couldn't do it in safe mode. killbox wasn't on the desktop anymore. I did it in normal window.
Looks like I got some but not all.


Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\f3PSSavr.scr
Potentially unwanted tool:Application/FunWeb Not disinfected C:\!KillBox\f3initialsetup1.0
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\riched20.dll
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Irene\Cookies\[email protected][2].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Recycled\NPROTECT\00065037.SCR
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Recycled\NPROTECT\00065039.INF
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Recycled\NPROTECT\00065040.dll
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Anything in C:\!KillBox can be removed. That's the folder where KillBox makes backups.

Cookies can be deleted normally:

Open Internet Explorer and click on Tools
Click on Internet Options
On the General Tab, click on Delete Cookies

And empty the Recycle Bin.

You should be good to go now. :)
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
You're welcome :)

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

You can mark your thread "Solved" from the Thread Tools drop down menu.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top