Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advertising Pop Ups Keep Coming Up All The Time


  • Please log in to reply
1 reply to this topic

#1 blancette

blancette

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 01 December 2005 - 10:59 AM

I have run all the suggested items in the preparation guide. I am running Windows XP Progessional which has all the latest updates. I also have always had McAffee and it is updated everynight. I am attached to a LAN and a WAN and use IBM Client Software to attach to my business system. My first problem began when I counld't attach to the WAN. I discovered that my HOSTS file had been changed. I deleted it and copyied it from another PC back onto my system and set the attributes to read only. I also noticed that some sites had been added to my trusted zones IExplore. (IP addresses 164.109.25.72 and 207.130.86.35) I couldn't delete them from there but was able to find them when I did a REGEDIT and deleted them and they haven't came back. That seemed to solve that problem, however, now I cannot change the attributes back to normal in my HOSTS file as I get a message that says access is denied. I also had a virus EXPLOIT which McAfee deleted. Addtionally, when I ran the suggested programs the following were identified and deleted. Spyware.CWSAddClass with file name Addclass.exe and Adware.Pouppers with file name a65d.exe and Spyware.e2give and Virus:Trj/Lowzones with file name C:\Windows\F ma.exe and Dialer:Dialer.No C:\Windows\DownloadedProgram Files\gdnUS2161.exe and Adware:adware/exact.gargainbuddy file name C:\Windoows\msxct1.ini and Virus:Trj/Agent.Apg file name C:\Windows\system32\pnp_32.dll

In addition to your suggestion I also purchased a spyware program called Spyware Detector and ran it after your suggested programs. It detected Winfixer

However, advertising popups and unwanted cookies contiune to infilterate my system as soon as I log onto the internet. I have Googles toolbar and have it set to stop pop ups and also have tried setting the pop up blocker in internet explorer also but nothing stops them. They will come up immediatly when I open my browser. If I manually delete them as they pop up then they don't seem to come back right away unless I go in and out of my browser.

Here is my HJT logfile.

Logfile of HijackThis v1.99.1
Scan saved at 8:51:12 AM, on 12/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Qurb\QSP-3.0.311.7\QOELoader.exe
C:\WINDOWS\system32\SDSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DIS\Interface Manager\IntrMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\IBM\Client Access\Emulator\pcsws.exe
C:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\Program Files\IBM\Client Access\Emulator\pcsws.exe
C:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
c:\pwrview\PwrView.exe
C:\PROGRA~1\DIS\INTERF~1\DISAVAR.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\De050\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by American Honda Motor Co., Inc.
O2 - BHO: (no name) - B{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - B{53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - B{AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [SystemTraySD] C:\WINDOWS\system32\SDSystemTray.exe
O4 - HKLM\..\Run: [MonitorSD] C:\Program Files\SpywareDetector\SDMonitor.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\WINDOWS\system32\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DIS Interface Manager.lnk = C:\Program Files\DIS\Interface Manager\IntrMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.SULLINET.COM
O15 - Trusted Zone: *.TEREXAMERICAS.COM
O15 - Trusted Zone: *.ahmdealer.com (HKLM)
O15 - Trusted Zone: *.honda.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3A6D818-FF49-4F8E-A80B-13F3A8F4471A}: Domain = dlrSSX1.casecorp.com
O20 - Winlogon Notify: GoToMyPC - G2WinLogon.dll (file missing)
O20 - Winlogon Notify: TPLogon - TPLogon.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SpyDetectSVC - Max Secure Software Technologies - C:\WINDOWS\system32\SpywareDetectorSVC.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:43 PM

Posted 02 December 2005 - 03:55 PM

List programs that can be removed using Windows 'Add or Remove'

This utility "List Installed Programs" will provide a list of installed programs. It is found half way down the page. Click on the little arrow and then the download icon that is on the new window that opens up. You can download the script and run it from your hard disk or run it without downloading.
When asked to enter the PC details - leave it blank and click OK. Ask to view the results and copy the Notepad list. Paste it in a reply to this thread.

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users