Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Window opens up while surfing through certian sites

Posted on 2004-08-29
7
Medium Priority
?
196 Views
Last Modified: 2013-12-04
Hi,
i am having a really bad problem on my laptop. While surfing on the web, when i visit certian sites, a porno window (always of the same site) opens up. I tried every possible option I could come across. I cleaned up the system with Norton and AVG. I used SpyBot, SpyFerret, SpywareDoctor, CWShredder and many other options given in this link.

SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml 
Ad-aware : http://www.webattack.com/download/dladaware.shtml 
Trojan Remover :http://www.simplysup.com/
HijackThis : http://www.webattack.com/download/dlhijackthis.shtml 
KL-Detector  :http://www.webattack.com/download/dlkldetector.shtml
X-Cleaner Free  :http://www.webattack.com/download/dlxcleaner.shtml
SpywareBlaster  :http://www.webattack.com/download/dlspywareblaster.shtml
SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml
SpySites  :http://www.webattack.com/download/dlspysites.shtml
Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml
Spycop: http://www.spycop.com/
BHODemon : http://www.spywareinfo.com/downloads/bhod/
Browser Hijack Blaster : http://www.wilderssecurity.net/bhblaster.html
Goodbye Spy http://www.topshareware.com/GoodBye-Spy-download-2012.htm
CWShredder: http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder
Other spyware removal instructions: http://www.pchell.com/support/click2findnow.shtml

None of them seem to overcome this problem. I addition to this i searched the Registry keys and in \hkey_users\Software\Microsoft\SearchAssistant\AMRU, i found an entry for "hotlive". I removed this as well. but to no effect. Again, as I said earlier, the porno windo keeps popping up only when i visit certian sites.

Any help is very much appreciated.

Thanks in advance..
0
Comment
Question by:dummie_q
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11926743
Hello dummie_q =)

>> HijackThis : http://www.webattack.com/download/dlhijackthis.shtml 

THis is the Old version, so Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe

Let me see what's going on ur system,,, and im sure u have already emptied the Temporary Internet Files and Cookies of IE :)
0
 
LVL 1

Author Comment

by:dummie_q
ID: 11928650
Hi Saahil,
I ran the utility. Here is the log.

Logfile of HijackThis v1.98.2
Scan saved at 11:51:29 PM, on 8/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\System32\EZSP_PX.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\Driver Cache\accinfo.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Aravind\Downloads\AdAware\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\aravind\LOCALS~1\Temp\ofnicca.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\aravind\LOCALS~1\Temp\ofnicca.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\ARAVIN~1\LOCALS~1\Temp\ofnicca.dat
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [accinfo] C:\WINDOWS\Driver Cache\accinfo.exe
O4 - HKLM\..\RunOnce: [*accinfo] C:\WINDOWS\Driver Cache\accinfo.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\msagent\chars\cms.exe ren
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mpnoc
O17 - HKLM\Software\..\Telephony: DomainName = mpnoc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mpnoc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mpnoc
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Hope you can help me with this.

Thanks..
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 1000 total points
ID: 11928684
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\aravind\LOCALS~1\Temp\ofnicca.dat
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\aravind\LOCALS~1\Temp\ofnicca.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\ARAVIN~1\LOCALS~1\Temp\ofnicca.dat
O4 - HKLM\..\Run: [accinfo] C:\WINDOWS\Driver Cache\accinfo.exe
O4 - HKLM\..\RunOnce: [*accinfo] C:\WINDOWS\Driver Cache\accinfo.exe
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\msagent\chars\cms.exe ren
===============================

put a check mark agaisnt these liens and click on Fix Checked !!!!!
Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 1

Author Comment

by:dummie_q
ID: 11931964
Hi Saahil,
Thanks a lot..I will follow ur suggestions and see what happens. I will let you know..

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11932905
sure :)
0
 
LVL 1

Author Comment

by:dummie_q
ID: 11939656
Hi Sahil,
Seems like everything is working well now!!Thanks a bunch..I visited some of the web sites which used to give me prbs..and it was really nice..nothing popped..
Can you give me some pointers in understanding how to usually tackle this kind of problem..the symptoms etc..is there a good tutorial or web site where I can find information..

Thanks again..
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11940993
that's great =)

Well i run Hijakcthis.exe daily on my system,,,,,,, and it gives me all the information abt the GOOD and BAD running on my system...... and that is the Only thing which i use to keep my system safe and clean :)
Here is its Tutorial if u are interested >> http://aumha.org/a/hjttutor.php

Cheers ^_^
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question