ads.x10.com Popup

Discussion in 'SpywareBlaster & Other Forum' started by ReneeL, Jan 28, 2004.

Thread Status:
Not open for further replies.
  1. ReneeL

    ReneeL Guest

    I have Windows XP. I frequently run Adaware and Spybot S&D (and check updates each time) but I keep getting this popup with the url hxxp://ads.x10.com/xstream/xs_martha_LND295.htm. I downloaded SpywareBlaster and ran that but still this thing keeps popping up. I've got ZoneAlarm as well but can't seem to keep this stupid ad from popping up all the time. Can anyone help?
    TIA,
    Renee

    URL made unworkable for security reasons - paul
     
  2. ReneeL

    ReneeL Guest

    Sorry to post twice. I didn't think I'd hit the post button. Is there a way to delete the other post?
    Thanks again.
    Renee
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Done ;)

    regards.

    paul
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi ReneeL,

    Please follow the instructions posted here: http://www.wilderssecurity.com/showthread.php?t=15913
    As you stated you use AAW & SSD regularly, you can skip that part.

    Regards,

    Pieter
     
  5. ReneeL

    ReneeL Guest

    Thanks Paul and Pieter! :)
    Renee
     
  6. ReneeL

    ReneeL Guest

    Okay. I've downloaded Hijackthis, scanned and now have the log. Does anything look like the ads.x10 popup?

    Logfile of HijackThis v1.97.7
    Scan saved at 11:03:48 PM, on 1/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
    C:\WINDOWS\System32\PELMICED.EXE
    C:\Program Files\Netscape\Communicator\Program\nsnotify.exe
    C:\Program Files\MSWorks\Calendar\Wkcalrem.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\WINDOWS\System32\DRIVERS\CDAC11BA.EXE
    C:\Program Files\Panda Software\Panda Antivirus Titanium\PAVSRV51.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
    C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http:8080
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\mail\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {D319662B-D5BF-4538-ADF3-8D3E36362608} - C:\Documents and Settings\All Users\Application Data\X0ff\X0ff.dll
    O2 - BHO: (no name) - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\Program Files\Support.com\backup\Ah\ahiehelp.dll (file missing)
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [GQLWDOJT] C:\WINDOWS\GQLWDOJT.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - Global Startup: nsnotify.lnk = C:\Program Files\Netscape\Communicator\Program\nsnotify.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: @Home (HKCU)
    O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: JT's Blocks - http://download.yahoo.com/games/clients/y/blr0_x.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21s0_x.cab
    O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Yahoo! Bingo - http://download.yahoo.com/games/clients/y/xr0_x.cab
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Chat - http://cs5.chat.yahoo.com/c381/chat.cab
    O16 - DPF: Yahoo! Checkers - http://download.yahoo.com/games/clients/y/kr0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Chinese Checkers - http://download.yahoo.com/games/clients/y/ccr0_x.cab
    O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
    O16 - DPF: Yahoo! Dice - http://download.yahoo.com/games/clients/y/dcr0_x.cab
    O16 - DPF: Yahoo! Fleet - http://download.yahoo.com/games/clients/y/fltr0_x.cab
    O16 - DPF: Yahoo! Games Roomlist - http://download.yahoo.com/games/clients/y/akamai_test21_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zs0_x.cab
    O16 - DPF: Yahoo! GoStop - http://download.yahoo.com/games/clients/y/gsr1_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Reversi - http://download.yahoo.com/games/clients/y/rr0_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.yahoo.com/games/clients/y/ywr0_x.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://activex.liveupdate.com/controls/cres.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - http://63.236.66.10/em/images/nocache/funwebproducts/SmileyCentralInitialTempSetup1.0.0.6.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} (accel Class) - http://www.riversoftware.net/x0ff.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://63.193.156.178/CFIDE/classes/CFJava.cab

    I can see my son plays a lot of online games. Can those be deleted as well (pogo, yahoo, etc.)? Any help is most appreciated!
    Renee

     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi ReneeL,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {D319662B-D5BF-4538-ADF3-8D3E36362608} - C:\Documents and Settings\All Users\Application Data\X0ff\X0ff.dll
    O2 - BHO: (no name) - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\Program Files\Support.com\backup\Ah\ahiehelp.dll (file missing)

    O4 - HKLM\..\Run: [GQLWDOJT] C:\WINDOWS\GQLWDOJT.exe

    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} (accel Class) - http://www.riversoftware.net/x0ff.cab

    Then reboot and delete:
    C:\Documents and Settings\All Users\Application Data\X0ff <= entire folder

    Regards,

    Pieter
     
  8. ReneeL

    ReneeL Guest

    Wonderful! So far, so good. Thanks so much!
    Renee
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Glad we could help. :)

    Pieter
     
  10. ReneeL

    ReneeL Guest

    ME TOO! Thanks a bunch!
    Renee
     
Thread Status:
Not open for further replies.