[Resolved] Pop-up when booting

[JimL904]

I get a pop-up window when I boot. It also creates a directory called ecommerce with a couple files in it. In addition, it creates an icon on my desktop. When I delete these things, and re-boot, the directory, icons, files, and pop-up re-appear. I use AOL with dial up access so I know I'm not online when this happens. I have run startuplist and included it here for analysis:

StartupList report, 1/9/03, 8:36:48 PM
StartupList version: 1.50
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\IRE\CISCO SECURE VPN CLIENT\IPSECMON.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\S3TRAY.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\TOSHIBA\IVP\ISM\PINGER.EXE
C:\PROGRAM FILES\TIOGA\CLIENT\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
aol.lnk = C:\Program Files\America Online 8.0\aol.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
S3TRAY = S3tray.exe
TOSHIBSU = TOSHIBSU.EXE
THotkey = THotkey.exe
TDspOff = TDspOff.Exe B
PowerTray = PwrTray.EXE
PsPCCard = PsPCCard.EXE
TEscKey = TEscKey.exe
TFunckey = TFuncKey.exe
EM_EXEC = c:\mouse\system\em_exec.exe
Pinger = C:\TOSHIBA\IVP\ISM\pinger.exe
TgAddServer = "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.answerteam.com/global"
Tgcmd = "C:\Program Files\tioga\Client\bin\tgcmd.exe" /nosystray
tgsetsite = "C:\Program Files\tioga\Client\bin\tgfix.exe" /i /f "C:\Program Files\tioga\client\bin\toshibasup.dna"
IrMon = IrMon.exe
YAMAHA DS-XG Launcher = c:\windows\dslaunch.exe
mdac_runonce = C:\WINDOWS\SYSTEM\runonce.exe
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
NPROTECT = C:\Program Files\Norton Utilities\NPROTECT.EXE
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
SystemTasks = C:\sexicamz.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
Encompass_ENCMONTR = C:\Program Files\Easy Internet\ENCMONTR.EXE
HDDPwd =
IREIKE = C:\Program Files\IRE\Cisco Secure VPN Client\IreIKE.exe start
IPSecMon = C:\Program Files\IRE\Cisco Secure VPN Client\IPSecMon.exe start
NPROTECT = C:\Program Files\Norton Utilities\NPROTECT.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\IE4UINIT.EXE

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\SCIENCE.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 5/1/2003, 12:20:44)

[rename]
nul=c:\windows\TEMP\~f1d055.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
PATH=C:\DOS
IF EXIST TOSCD001 LH C:\WINDOWS\COMMAND\MSCDEX.EXE /D:TOSCD001

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE X=C000-CFFF
LASTDRIVE=Z
DEVICE=c:\windows\Panning.SYS

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

@echo off
REM
REM
IF EXIST TOSCD001 C:\WINDOWS\COMMAND\MSCDEX.EXE /D:TOSCD001
c:\mouse\mouse.exe

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {004A5840-FF59-11d2-B50D-0090271D3FD4}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Scan For Viruses.job

--------------------------------------------------

Enumerating Download Program Files:

[{51045741-8C4E-4EAC-8F03-08E43A6FBB29}]
CODEBASE = http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

--------------------------------------------------
End of report, 7,818 bytes
Report generated in 0.848 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[rugrat]

First, Welcome to TSG!


Next I would go here http://tomcoyote.com/SPYBOT/

And download and run spybot.
If this does not solve the problem, I would click on the report tab at the top of the post and ask a moderator to move this to security so the people who know what they are looking at can have a better look at your post. If you want to try additional things such as online virus scanners etc... Go here http://forums.techguy.org/t110854/sc53a516cad96cdef3db9ba30a4837132.html
Rog has done a great job with linking additional resources.


Let us know

 

[Rollin' Rog]

You've got a lot of funky Toshiba laptop stuff there and lord knows whether you need everything you have running at startup.

But the ads might be coming from:

TgAddServer = "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.answerteam.com/global"

See this link and do ctrl-f to find specific startups such as TgAddServer:

http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM

I don't think Spybot will remove it, but it's still worth installing and running.

Startup programs can be disabled by going to Start>Run and entering msconfig

Just uncheck them under the startup tab to troubleshoot, or leave them permanently unchecked if you don't really use or need them.

 

[TonyKlein]

This one needs to go too:

SystemTasks = C:\sexicamz.exe :

http://www.cexx.org/liveshow.htm

SpyBot probably removes it as well, but do keep an eye on it.

 

[JimL904]

Spybot found the problem files and deleted them just as I had done manually only to have them return upon re-boot. Tony's link above provided the exact instructions needed for a permanent fix. Thanks to all for the assist. Jim

 

[rugrat]

And again I must bow to Tony's wisdom. You really should see his Guru picture

 

[TonyKlein]

Originally posted by rugrat:
And again I must bow to Tony's wisdom. You really should see his Guru picture

Yup, here's another picture of me, on my way to solve yet another computer problem!

<img src= "http://www.sikhnet.com/thesikhs/images/Guru%20Nanak%20Traveling%20the%20Country%20Side.jpg">