How to remove the popup from advnt01.com?

Hi all,

         My computer popup a website from advnt01.com all the time, some softporn poster. Here is my log file from Hijackthis, please have a look for me.

Logfile of HijackThis v1.98.2
Scan saved at 09:28:32, on 02/11/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\EPOAgent\naimas32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Xtray\xtray_link.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\webshots.scr
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\ofcdog.exe
C:\OfficeScan NT\PCCNTMON.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\npotts.000\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rdintra/RDIntranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Xtray] "C:\Program Files\Xtray\xtray_link.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ricedaubney.com.au
O17 - HKLM\Software\..\Telephony: DomainName = corp.ricedaubney.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ricedaubney.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.ricedaubney.com.au
Cheers
Yours EC
ericpcAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Have you run any spyware scanners?  Such as Spybot Search & Destory?  see http://security.kolla.de
0
Asta CuTechnical consultant & graphic designCommented:
Did you first scan your system with a good updated Viruscan program?  Then use standard spyware tools?  We have process here which is ideal rather than posting your entire hijackthis log... More shortly
0
SheharyaarSaahilCommented:
Hello ericpc =)

Plzz try running getting these tools,
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Stinger ==> http://vil.nai.com/vil/stinger
========================================================

Turn off ur System Restore before cleaning the system if its WinME\XP >> http://www.pchell.com/virus/systemrestore.shtml
Then Run all of them one by one in safemode and delete everything they detect.
Then delete the temporary internet files and history of IE
and run Disk Cleanup on ur hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ??
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Asta CuTechnical consultant & graphic designCommented:
Immediate concerns are:
:\Program Files\Xtray\xtray_link.exe    
Nasty   running process. (xtray_link.exe)
TROJ_VB.JL trojan xtray_link.exe   This is a nasty process! You should fix it and try to delete it manually!
  O4 - HKLM\..\Run: [Xtray] "C:\Program Files\Xtray\xtray_link.exe"    
Nasty   The entered application Xtray was identified: Xtray. Hit rate: 99 % (result)   Must be fixed!

HijackThis tool and process recommendations here:
http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html

Central link for Spyware tools here:
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Asta CuTechnical consultant & graphic designCommented:
Be sure that PRIOR to doing any cleanups... you go to Control Panel - System - System Restore to turn if off.... then clean your system, reboot and turn it back on or the problems you fix will return.
0
SheharyaarSaahilCommented:
and actually www.advnt01.com is related to 7AdPower Dialer adware !!
So plzz follow here for its removal instructions >> http://securityresponse.symantec.com/avcenter/venc/data/dialer.7adpower.html
0
Asta CuTechnical consultant & graphic designCommented:
I'm happy to see that you're using Windows XP SP2.... take the time to view the video in this link, it is VERY informatiive and well worth your time to get to know the power and uses for SP2.
***** This is an excellent link, very informative, and thanks to
Fatal_Exception for showing me this! It includes a step-by-step video about XP SP2 and the new features and configuration option overview. Top Notch!
http://65.24.134.81/KipSolutions/SP2/SP2Overview.htm *****
0
ericpcAuthor Commented:
I tried Adware and spybot, no luck. Xtry_link.exe does looks nasty, can I clean it up by just remove the entry from registry?

Cheers
Yours EC
0
Asta CuTechnical consultant & graphic designCommented:
Do you speak German?  Is this meaningful to you?  Most elements of this exe appear to be OK (gut); others not.
-- Resultate auf den Namen: "Xtray" --



Name Datei Status
AUXXTRAY au30setp.exe  Gut
igfxtray igfxtray.exe  Gut
MPXTray mpxptray.exe  Gut
VortexTray au30setp.exeasp4tray.exeasp4setp.exe  Gut
VortexTray au30setp.exe asp4tray.exe asp4setp.exe Gut
Xtray xtray_link.exe Böse

-- Resultate auf die Datei: "xtray_link.exe" --

Datei Name Status
xtray_link.exe Xtray Böse
0
Asta CuTechnical consultant & graphic designCommented:
That is a TROJAN that must be removed from your startup.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Not sure if this will apply to you, but I'll post it anyway:

I've seen certain instances where a random file name is set in your registry to start when windows starts.  If you attempt to remove it, it puts itself back, almost immediately, often with another random name.  I was successful in removing this using the following tools/procedure:

1.  Clean the machine of all other spyware/adware using Spybot and CWShredder
2.  Download SilentRunners.VBS from www.silentrunners.org (more about this later).  Run this and print out the results.
3.  Reboot to safe mode and then remove entries for unknown IE toolbars, etc, as well as the line that starts the bad process.
4.  Reboot to normal.

If you need help in further interpreting the SilentRunners output, please post it here and I or someone else can assist you.

SilentRunners is a vb script written by a participant in the NTBugTraq mailing list.  The script searches through every known area of a Windows PC that can start a program and displays those lines.

0
ericpcAuthor Commented:
I think I might fixed it, I will leave it for half a day or so see if its gonna come back.

Thanks heaps guys
YOurs EC
0
Asta CuTechnical consultant & graphic designCommented:
":0)
0
Asta CuTechnical consultant & graphic designCommented:
Thank you, if problem returns or other related issues arise to this; please comment and I'll respond when I can.
Best wishes,
":0) Asta
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.