Solved

How to Delete this process/dll causing advertisement

Posted on 2003-11-15
14
1,849 Views
Last Modified: 2007-12-19
HI,
I have this problem of pop up advertisemnts that does not seem to go away. I have tried HijackThis, Adaware and Spybpt S&D. Whenever my XP boots up the MSCONFIG shows the following processes:
lphhzwd c:\widows\system32\lphhzwd.exe
MhoL9X3 c:\widows\system32\MhoL9W3.exe

I have tried deleting them from the folder but found only lphhzwd.exe
 and lphhzwd.dll. When I try to delete it I get another process might be using file . On seraching for MhoL9X3  I found MHOL9W3.EXE-1A99B6B0.pf in c:\windows\prefetch.  I also tried unchecking them in MSCONFIG but they reappear. I think they are pop advertisement software that is slowing my machine and causing nuisance . I also tried deleting them in registry \software\Micorsoft\windows\CurrenVersion\run but they reappear.

I have a pop up blocker but i want to remove them from the source.
Any help/advice?
0
Comment
Question by:sambha03
  • 8
  • 3
  • 2
  • +1
14 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9757103
Uncheck every thing in MSconfig there is sometthing esle you are missing.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9757105
Sart > Run msconfig
Click on the tab marked "Startup"
unckeck all the items.

If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.
0
 
LVL 97

Expert Comment

by:war1
ID: 9757113
Greetings, sambha03!

A Search site has downloaded something into your computer.  Run the HijackThis from #3 and post it here.

1. If you have Windows Messenger Service, disable it.  The Messenger service is typically not needed for home users.

Right-click My Computer and click Manage.
Fold out the Services and Applications option and click Services.
Right-click the Messenger entry, select Properties, and choose Disable under Startup Type.
Click OK.

You should no longer receive messages sent via the messenger service.

2. Use the following scanners to find and remove the website.

SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/

Download the latest updates and run the scanner.

3. Some porn websites redirects links to their websites using your HOSTS file. Do a search for the HOSTS (without extension) file and remove the entry.

4. If still no joy, download HijackThis from Spywareinfo download page

http://www.spywareinfo.com/downloads.php

Run the program and you will find many entries. Most are OK. Post the log. I will find the problem for you.

5. For future preventive maintenance, make sure programs cannot just download on your computer without your permission.  From the Internet Toolbar, go to Tools > Internet Options > Advanced.  Make sure "Enable Install On Demand (Internet Explorer)" and "Enable Install On Demand (Other)" are unchecked.

Best wishes, war1
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9757115
Delete evey thing in the prefetch folder
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9757122
open the task manager and click on the processes tab and then click on lphhzwd.exe and the click the End Process button then delete it.

Task Manager
Star > Run taskmgr.exe
0
 
LVL 34

Expert Comment

by:sramesh2k
ID: 9757472
As CO said, the better option is to use MSConfig > Startup tab. Uncheck the items, reboot windows. Delete the files
And, run Ad-Aware scan.
0
 

Author Comment

by:sambha03
ID: 9758412
sramesh2k, CrazyOne: I already tried unchecking all items in strtup->MSconfig. It loads up again.
war1: I already used S&d, adawre etc
CrazyOne: It doesnt show up in task manger

When I try to delete it it says some program is useing it. I tried 3 times closing all processes in task maneger but I always end up rebotting windows by killing some critical process..
Any other idea?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 44

Accepted Solution

by:
CrazyOne earned 500 total points
ID: 9758465
Did you try deleting it in safe mode?
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9758469
Use this free utility

Note when you open the program go to the menu View and make sure there is a check mark next to View DLL's if there isn't then click on it.

Process Explorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

just click each process one at a time and look at the bottom window note if that file is listed of the dll and if it is kill the process that had the files open.
0
 
LVL 97

Expert Comment

by:war1
ID: 9759080
Did you run HijackThis program and analysis the log file?
0
 

Author Comment

by:sambha03
ID: 9759785
CrazyOne : Thanks a lot!!!I cud delete it in  Safe mode ..it was loading with explorer process so when i wud kill the process the entire screen was going blank in regular boot. I have removed it now...will know in a while if those lousy pop ups are still there.....wish i cud sue these guys who harm n cause nuisnace to everyone....kepping fingers crossed that its all well now :-)
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9760576
My fingers are crossed :)
0
 

Author Comment

by:sambha03
ID: 9761707
Works fine...came back after full day and had left 1 IE window open..usualyy I wud expect to find atleast 20 pop ups open...but found not one :-) ....wish there was  an A++ to give :-)
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9761714
Glad we were able to assist you :)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
This video discusses moving either the default database or any database to a new volume.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now