1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

What's This???

Discussion in 'Web & Email' started by stu37, Sep 28, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. stu37

    stu37 Thread Starter

    Joined:
    Jun 9, 2002
    Messages:
    562
    hi, whenever i browse the web, i usually get 2 of these on taskbar, so i click on them and nothing will show on browser, so i right click on them and close them. Anyone know what these urls are and how to block them? Spybot and AdAware doesn't show them and i tried blocking on ie6 and they still show. It only happens on explorer. Anyone know? here's example:

    http://media19.fastclick.net/w/safe...4&len=0&c=0&nfcp=1&top=150&left=40&pop=slider
     
  2. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    This is adware. It is provide to you by Fastclick. I'd get rid of it if I were you.
     
  3. EvileYe

    EvileYe

    Joined:
    Aug 30, 2003
    Messages:
    1,281
    Looks like spyware to me. Do as below and post your results into the security forum and someone who knows more about these things than me will advise you of what you need to do.


    Download 'Hijack This!' from http://www.spywareinfo.com/files/hijackthis.zip
    Unzip,and run HijackThis.exe, and hit "Scan".
    When the scan is finished, click "Save Log", and copy and paste it in a post.

    Don't fix anything yet as most of what is in the log will be ok,
    Just paste it in here and someone will have a look at it for you.
    .
     
  4. stu37

    stu37 Thread Starter

    Joined:
    Jun 9, 2002
    Messages:
    562
    yes i know it is spyware but i've tried all to get rid of them and spyware such as spybot and adaware6 has not caught it. i shall wait and see if someone will transfer this to security or if someone else has any ideas. here is log:

    Logfile of HijackThis v1.97.2
    Scan saved at 9:21:34 AM, on 9/28/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\EPSON\ESM2\eEBSVC.exe
    C:\Program Files\MECA\Meca.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\NoAds\NoAds.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Norton Internet Security\ATRACK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Bob S \Application Data\Mozilla\Profiles\default\qwccdfrf.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Bob s\Application Data\Mozilla\Profiles\default\qwccdfrf.slt\prefs.js)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: MECA-IE - {E7DC02F7-A213-4866-B800-FDCB4555FB79} - C:\Program Files\MECA\HBO.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [MECA] C:\Program Files\MECA\Meca.exe
    O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6(2).dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {44EF3799-53A0-4D7A-BD9F-DC103F2FB8D9} (MSN Money QuickList) - http://fdl.msn.com/public/investor/v13/investor.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/143961c897fc9cd59614/netzip/RdxIE601.cab
    O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.8868402778
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
     
  5. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Restart Hijack This, put a check mark against the following:

    O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)
    O2 - BHO: MECA-IE - {E7DC02F7-A213-4866-B800-FDCB4555FB79} - C:\Program Files\MECA\HBO.dll
    O4 - HKLM\..\Run: [MECA] C:\Program Files\MECA\Meca.exe
    O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe
    O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
    O9 - Extra button: Save (HKLM)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/143961c897fc9c...ip/RdxIE601.cab

    Click Fix checked

    Restart your computer

    Go to C:\Program Files, find right click and delete the MECA folder
    then go to C:\WINDOWS\System32 and delete the msbb.exe file
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    These are legitimate:

    O2 - BHO: MECA-IE - {E7DC02F7-A213-4866-B800-FDCB4555FB79} - C:\Program Files\MECA\HBO.dll

    O4 - HKLM\..\Run: [MECA] C:\Program Files\MECA\Meca.exe

    According to Tony Kleins BHO list:

    http://www.spywareinfo.com/bhos/archives/000170.php
     
  7. Corrosive

    Corrosive

    Joined:
    Jan 9, 2003
    Messages:
    1,058
  8. stu37

    stu37 Thread Starter

    Joined:
    Jun 9, 2002
    Messages:
    562
    so is "O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" that's my popup stopper.
    Also, is " No Name, MSBB, 09, and 016 ok to check? just want to make sure. Thanks
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This and put a check by these. Close all browser windows and "Fix Checked"

    O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)

    O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/143961c897fc9c...ip/RdxIE601.cab

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode delete:

    The C:\WINDOWS\System32\msbb.exe file
     
  10. stu37

    stu37 Thread Starter

    Joined:
    Jun 9, 2002
    Messages:
    562
    thanks flrman 1 and everyone else that helped. finished doing and now i will see what happens. thanks again
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  12. stu37

    stu37 Thread Starter

    Joined:
    Jun 9, 2002
    Messages:
    562
  13. Corrosive

    Corrosive

    Joined:
    Jan 9, 2003
    Messages:
    1,058
    It's probably a piece of software on your PC which uses spyware to fund it. KaZaA, for example, rather famously uses spyware, much to the annoyance of us techs who have to pick up the pieces. :rolleyes:

    Anyway, have you installed any free/shareware on to your PC recently? If so, it could be the cause. Put the name of any apps you think could be up to this into www.spychecker.com and it'll say if it contains any spyware or not.
     
  14. stu37

    stu37 Thread Starter

    Joined:
    Jun 9, 2002
    Messages:
    562
    ok thanks, if i think of any will do so
    bob
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - What's
  1. tonycrossley
    Replies:
    6
    Views:
    360
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168043

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice