[Solved] Popup Adds

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

pencileater

Thread Starter
Joined
Sep 13, 2004
Messages
5
I'm having some problems with pop up advertisements that had never before attacked my computer so often. I'm runing windows xp/home edition (laptop). I had to switch from IE 6 to Mozilla Firefox because almost every window I'd open in IE would have an add attached to it. I've scanned my computer w/ Ad-ware 6, cwshredder and spybot search and destroy as well as Norton but they keep on detecting more and more infected files during every scan. Norton Antivirus has even detected some viruses which it has claimed to delete. This has never happened before - I'm surpirsed. I dont know what to do. Please help. :eek:
 
Joined
Jul 26, 2002
Messages
46,349
Hi pencileater

Welcome to TSG! :)

Please do this:

First create a permanent folder somewhere like in My Documents and name it Hijack This.

Now Click here to download Hijack This. Download and save the file to the Hijack This folder you just created.

Click on Hijackthis.exe to launch the program.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

The log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.
 

pencileater

Thread Starter
Joined
Sep 13, 2004
Messages
5
Logfile of HijackThis v1.98.2
Scan saved at 5:41:02 PM, on 9/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://forum.japantoday.com/do_asian_guys_like_white_girls%3F/m_107492/tm.htm");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("intl.charsetmenu.browser.cache", "Shift_JIS, UTF-8, windows-1252, ISO-8859-1");
user_pref("mail.smtpservers", "");
user_pref("mail.ui.folderpane.version", 2);
user_pref("mailnews.global_html_domains.version", 2);
user_pref("mailnews.html_domains", "netscape.net,netscape.com,aol.com,cs.com,yahoo.com,hotmail.com,msn.com");
user_pref("mailnews.ui.threadpane.version", 2);
user_pref("prefs.converted-to-utf8", true);
user_pref("signon.SignonFileName", "82019430.s");
user_pref("timebomb.first_launch_time"
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_19_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Owner\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Owner\LOCALS~1\Temp\appB.tmp
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\Owner\Application Data\iptl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LimeWire 3.6.15.lnk = C:\Program Files\LimeWire\3.6.15\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0655ca68825eaf201b03/netzip/RdxIE601.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
 
Joined
Jul 26, 2002
Messages
46,349
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Owner\LOCALS~1\Temp\tb_setup.exe /dcheck

O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Owner\LOCALS~1\Temp\appB.tmp

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\Owner\Application Data\iptl.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)


Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete this file:

C:\Documents and Settings\Owner\Application Data\iptl.exe

Delete this folder:

C:\Program Files\TV Media

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin
 

pencileater

Thread Starter
Joined
Sep 13, 2004
Messages
5
Thanks so much, I hope it works. So far I didn't encounter any problems. I just have few more concerns. When I was restarting my computer in the safe mode I happened to see 2 computer accounts: Administrator and mine password protected account. Well, I ended up doing the same thing on both of them because I didn't know which was default. I was just wondering if that could affect anything.
And also I did not find the 2 files (ipti.exe and TV Media folder) on either of the accounts. Yes i did follow the instuructions about hidden and protected files on both accounts. Is it possible that Hijak took care of them before I restarted in the safe mode?
I also found a "backups" folder on my desktop, along w/ couple of my old files (2 microsof word files and also a "thumbs.db" file) that were not on my desk top before the safe mode operation. Hope its nothing big. Thanks again.
 
Joined
Jul 26, 2002
Messages
46,349
You did right by doing it in both accounts.

The thumbs.db is a hidden system file. It is visible now because of the changes you made before in the folder options to show hidden file. If you reverse those changes it will no longer be visible.

The backup files were created by Hijack This. It cretes backups og everything you fix with it. If you are sure you didn't delete anything with HJT that you shouldn't have you can delete those now. For future reference you need to create a "New Folder" somewhere like in My Documents and name it Hijack This. Put the hijackthis.exe in it and run it from there. That way it will store the backups in that folder and not scatter them all over your desktop.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top