pop-ups galore

Discussion in 'adware, spyware & hijack cleaning' started by MEGAN, Mar 16, 2004.

Thread Status:
Not open for further replies.
  1. MEGAN

    MEGAN Guest

    The problems I am having with my system are 1) search popup ad when I search using my yahoo toolbar and 2) general popups ads when surfing just about any site.

    I followed the directions here and downloaded and ran Ad-away & Spybot and also downloaded hijackthis. Haven't checked to see if I still get the popups, but would like the log reviewed.

    Hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:19:25a, on 03/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\spoolsv.exe
    C:\Program Files\McAfee\VirusScan TC\Avsynmgr.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\McAfee\VirusScan TC\Vshwin32.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Windows\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\McAfee\McShield\Mcshield.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\McAfee\VirusScan TC\VsStat.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Lexa software\Organizer\organizer.exe
    C:\Windows\System32\ctfmon.exe
    C:\Windows\webshots.scr
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\MGARNHUM\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://intranet/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://intranet/
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 63.94.0.225 adkill.arrrr.com
    O1 - Hosts: 63.94.0.225 ads.x10.com
    O1 - Hosts: 63.94.0.225 ad.doubleclick.net
    O1 - Hosts: 63.94.0.225 ad.uk.doubleclick.net
    O1 - Hosts: 63.94.0.225 actionsplash.com
    O1 - Hosts: 63.94.0.225 media.admonitor.net
    O1 - Hosts: 63.94.0.225 www.credit-counseling-foundation.org
    O1 - Hosts: 63.94.0.225 www.consumerinfo.com
    O1 - Hosts: 63.94.0.225 www.hitcents.com
    O1 - Hosts: 63.94.0.225 www.ediets.com
    O1 - Hosts: 63.94.0.225 servedby.advertising.com
    O1 - Hosts: 63.94.0.225 rd.advertising.com
    O1 - Hosts: 63.94.0.225 www.got2goshop.com
    O1 - Hosts: 63.94.0.225 www.colonize.com
    O1 - Hosts: 63.94.0.225 media.fastclick.net
    O1 - Hosts: 63.94.0.225 adserver.matchcraft.com
    O1 - Hosts: 63.94.0.225 ad.iwin.com
    O1 - Hosts: 63.94.0.225 ads.iwon.com
    O1 - Hosts: 63.94.0.225 ads.weather.com
    O1 - Hosts: 63.94.0.225 ar.atwola.com
    O1 - Hosts: 63.94.0.225 c1.zedo.com
    O1 - Hosts: 63.94.0.225 server.as5000.com
    O1 - Hosts: 63.94.0.225 server2.as5000.com
    O1 - Hosts: 63.94.0.225 ads.wunderground.com
    O1 - Hosts: 63.94.0.225 ln.doubleclick.net
    O1 - Hosts: 63.94.0.225 ads.websponsors.com
    O1 - Hosts: 63.94.0.225 ads1.intelliads.com
    O1 - Hosts: 63.94.0.225 adserv.net
    O1 - Hosts: 63.94.0.225 www.clickheretofind.com
    O1 - Hosts: 63.94.0.225 www.focalex.com
    O1 - Hosts: 63.94.0.225 view.atdmt.com
    O1 - Hosts: 63.94.0.225 img.mediaplex.com
    O1 - Hosts: 63.94.0.225 img-snv.mediaplex.com
    O1 - Hosts: 63.94.0.225 www.burstnet.com
    O1 - Hosts: 63.94.0.225 ad.trafficmp.com
    O1 - Hosts: 63.94.0.225 ads.msn.com
    O1 - Hosts: 63.94.0.225 global.msads.net
    O1 - Hosts: 63.94.0.225 www.qksrv.net
    O1 - Hosts: 63.94.0.225 www.fineclicks.com
    O1 - Hosts: 63.94.0.225 s0b.bluestreak.com
    O1 - Hosts: 63.94.0.225 www.clickaction.net
    O1 - Hosts: 63.94.0.225 bidclix.net
    O1 - Hosts: 63.94.0.225 media.popuptraffic.com
    O1 - Hosts: 63.94.0.225 www.smartpages.com
    O1 - Hosts: 63.94.0.225 service.bfast.com
    O1 - Hosts: 63.94.0.225 image.linkexchange.com
    O1 - Hosts: 63.94.0.225 www.my-stats.com
    O1 - Hosts: 63.94.0.225 secure.webconnect.net
    O1 - Hosts: 63.94.0.225 www.ourmagicbox.com
    O1 - Hosts: 63.94.0.225 www.bns1.net
    O1 - Hosts: 63.94.0.225 www.websponsors.com
    O1 - Hosts: 63.94.0.225 www.freeppv.tv
    O1 - Hosts: 63.94.0.225 altfarm.mediaplex.com
    O1 - Hosts: 63.94.0.225 art.digitalcity.com
    O1 - Hosts: 63.94.0.225 aimtoday.aol.com
    O1 - Hosts: 63.94.0.225 ads.intellicast.com
    O1 - Hosts: 63.94.0.225 serve.thisbanner.com
    O1 - Hosts: 63.94.0.225 ads.belointeractive.com
    O1 - Hosts: 63.94.0.225 www.clickedyclick.com
    O1 - Hosts: 63.94.0.225 ads.allsites.com
    O1 - Hosts: 63.94.0.225 www.jlaps.com
    O1 - Hosts: 63.94.0.225 realmedia-a800.d4p.net
    O1 - Hosts: 63.94.0.225 ad.jp.doubleclick.net
    O1 - Hosts: 63.94.0.225 ads3.zdnet.com
    O1 - Hosts: 63.94.0.225 www3.ad.tomshardware.com
    O1 - Hosts: 63.94.0.225 www15.ad.tomshardware.com
    O1 - Hosts: 63.94.0.225 ads.fortunecity.com
    O1 - Hosts: 63.94.0.225 www.classmates.com
    O1 - Hosts: 63.94.0.225 banners.classmates.com
    O1 - Hosts: 63.94.0.225 graphics.classmates.com
    O1 - Hosts: 63.94.0.225 ads.clickagents.com
    O1 - Hosts: 63.94.0.225 adtracking.net-on.net
    O1 - Hosts: 63.94.0.225 www8.ad.tomshardware.com
    O1 - Hosts: 63.94.0.225 tour.teen-mail4free.com
    O1 - Hosts: 63.94.0.225 stats.hitbox.com
    O1 - Hosts: 63.94.0.225 hg1.hitbox.com
    O1 - Hosts: 63.94.0.225 adserver1.realtracker.com
    O1 - Hosts: 63.94.0.225 ads.mircx.com
    O1 - Hosts: 63.94.0.225 images.mircx.com
    O1 - Hosts: 63.94.0.225 pop.mircx.com
    O1 - Hosts: 63.94.0.225 tpl1.realtracker.com
    O1 - Hosts: 63.94.0.225 www.freestores.biz
    O1 - Hosts: 63.94.0.225 images.freestores.biz
    O1 - Hosts: 63.94.0.225 www.0catch.com
    O1 - Hosts: 63.94.0.225 images.0catch.com
    O1 - Hosts: 63.94.0.225 68076.webmersion.com
    O1 - Hosts: 63.94.0.225 ads.digitalmedianet.com
    O1 - Hosts: 63.94.0.225 affiliate.cfdebt.com
    O1 - Hosts: 63.94.0.225 m.doubleclick.net
    O1 - Hosts: 63.94.0.225 m2.doubleclick.net
    O1 - Hosts: 63.94.0.225 ads.amazingmedia.com
    O1 - Hosts: 63.94.0.225 adcontent.gamespy.com
    O1 - Hosts: 63.94.0.225 www.haignet.com
    O1 - Hosts: 63.94.0.225 a1964.g.akamaitech.net
    O1 - Hosts: 63.94.0.225 topsite.anime-honor.com
    O1 - Hosts: 63.94.0.225 images.bravenet.com
    O1 - Hosts: 63.94.0.225 ads1.advertwizard.com
    O1 - Hosts: 63.94.0.225 www.thesmalldot.com
    O1 - Hosts: 63.94.0.225 www.cruisedirect.net
    O1 - Hosts: 63.94.0.225 www.marketnprofit.com
    O1 - Hosts: 63.94.0.225 ordertrafficnow.com
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\Windows\mxTarget.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5e353fbc-e87e-4b68-ac89-d28e5db00c9b} - C:\DOCUME~1\MGARNHUM\APPLIC~1\trblmoothstr.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_12_0.dll
    O3 - Toolbar: acttaiebstb - {179cae1c-173b-4b16-b405-c235f3f0c67e} - C:\DOCUME~1\MGARNHUM\APPLIC~1\trblmoothstr.dll (file missing)
    O4 - HKLM\..\Run: [Smapp] ; C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [To DO List] "C:\Program Files\Lexa software\Organizer\organizer.exe"
    O4 - HKLM\..\Run: [frsk] C:\Windows\frsk.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\PROGRA~1\XEMICO~1\ACTIVE~1\ADC.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37851.2257175926
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {C87ACE20-4BA7-11D4-AD69-0000F80020BC} (MEDITECHAppDwnld) - http://intranet/Download/MTAppDwn.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
     
  2. Megan

    Megan Guest

    FYI - All those hosts are from this:

    # This Hosts file is designed to remove advertisements from bothersome
    # websites. More information is at http://adkill.arrrr.com/
    # Visit http://arrrr.com/ for non adkill information.
    # Websites on this list are blacklisted because they serve annoying
    # advertisements.

    I added this, it didn't stop the popups, but at least I don't have to look at the ads anymore. They pop up then attempt to close themselves. I'd like to get rid of whatever it was that is causing the popup ads.
     
  3. yokenny

    yokenny Registered Member

    Joined:
    Apr 8, 2003
    Posts:
    27
    Location:
    Toronto, Canada
    Megan, welcome.

    The best way to kill ads is to use the localhost redirect of 127.0.0.1
    http://www.accs-net.com/hosts/

    Then use eDexter to remove the red 'x's
    http://www.accs-net.com/hosts/eDexter.html

    The HOSTS file I use and help maintain:
    http://webpages.charter.net/hpguru/hosts/hosts.html

    You need to turn off the seldom needed DNS Client Service.
    http://www.blackviper.com/WinXP/servicecfg.htm

    Now your problem:

    Do not use the Yahoo redirector to get to Yahoo search as it is a resource waster.

    Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked".

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://intranet/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://intranet/
    R3 - Default URLSearchHook is missing

    Delete all O1 entries

    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\Windows\mxTarget.dll
    O2 - BHO: (no name) - {5e353fbc-e87e-4b68-ac89-d28e5db00c9b} - C:\DOCUME~1\MGARNHUM\APPLIC~1\trblmoothstr.dll (file missing)
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE


    Make sure 'show all files' is enabled:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=&docid=2002103012571948&nsf=ent-security.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

    Then reboot into Safe Mode by tapping F8 key at bootup.

    Delete if still present:
    C:\Program Files\ClearSearch <== folder
    C:\Windows\mxTarget.dll <== file
     
  4. Megan

    Megan Guest

    thanks, we'll see how this works. Good so far.
     
Thread Status:
Not open for further replies.