• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4936
  • Last Modified:

How to remove the popup from advnt01.com?

Hi all,

         My computer popup a website from advnt01.com all the time, some softporn poster. Here is my log file from Hijackthis, please have a look for me.

Logfile of HijackThis v1.98.2
Scan saved at 09:28:32, on 02/11/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Xtray\xtray_link.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\ofcdog.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\npotts.000\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rdintra/RDIntranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Xtray] "C:\Program Files\Xtray\xtray_link.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ricedaubney.com.au
O17 - HKLM\Software\..\Telephony: DomainName = corp.ricedaubney.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ricedaubney.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.ricedaubney.com.au
Yours EC
  • 8
  • 2
  • 2
  • +1
1 Solution
Lee W, MVPTechnology and Business Process AdvisorCommented:
Have you run any spyware scanners?  Such as Spybot Search & Destory?  see http://security.kolla.de
Asta CuCommented:
Did you first scan your system with a good updated Viruscan program?  Then use standard spyware tools?  We have process here which is ideal rather than posting your entire hijackthis log... More shortly
Hello ericpc =)

Plzz try running getting these tools,
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Stinger ==> http://vil.nai.com/vil/stinger

Turn off ur System Restore before cleaning the system if its WinME\XP >> http://www.pchell.com/virus/systemrestore.shtml
Then Run all of them one by one in safemode and delete everything they detect.
Then delete the temporary internet files and history of IE
and run Disk Cleanup on ur hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ??
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Asta CuCommented:
Immediate concerns are:
:\Program Files\Xtray\xtray_link.exe    
Nasty   running process. (xtray_link.exe)
TROJ_VB.JL trojan xtray_link.exe   This is a nasty process! You should fix it and try to delete it manually!
  O4 - HKLM\..\Run: [Xtray] "C:\Program Files\Xtray\xtray_link.exe"    
Nasty   The entered application Xtray was identified: Xtray. Hit rate: 99 % (result)   Must be fixed!

HijackThis tool and process recommendations here:

Central link for Spyware tools here:
Asta CuCommented:
Be sure that PRIOR to doing any cleanups... you go to Control Panel - System - System Restore to turn if off.... then clean your system, reboot and turn it back on or the problems you fix will return.
and actually www.advnt01.com is related to 7AdPower Dialer adware !!
So plzz follow here for its removal instructions >> http://securityresponse.symantec.com/avcenter/venc/data/dialer.7adpower.html
Asta CuCommented:
I'm happy to see that you're using Windows XP SP2.... take the time to view the video in this link, it is VERY informatiive and well worth your time to get to know the power and uses for SP2.
***** This is an excellent link, very informative, and thanks to
Fatal_Exception for showing me this! It includes a step-by-step video about XP SP2 and the new features and configuration option overview. Top Notch! *****
ericpcAuthor Commented:
I tried Adware and spybot, no luck. Xtry_link.exe does looks nasty, can I clean it up by just remove the entry from registry?

Yours EC
Asta CuCommented:
Do you speak German?  Is this meaningful to you?  Most elements of this exe appear to be OK (gut); others not.
-- Resultate auf den Namen: "Xtray" --

Name Datei Status
AUXXTRAY au30setp.exe  Gut
igfxtray igfxtray.exe  Gut
MPXTray mpxptray.exe  Gut
VortexTray au30setp.exeasp4tray.exeasp4setp.exe  Gut
VortexTray au30setp.exe asp4tray.exe asp4setp.exe Gut
Xtray xtray_link.exe Böse

-- Resultate auf die Datei: "xtray_link.exe" --

Datei Name Status
xtray_link.exe Xtray Böse
Asta CuCommented:
That is a TROJAN that must be removed from your startup.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Not sure if this will apply to you, but I'll post it anyway:

I've seen certain instances where a random file name is set in your registry to start when windows starts.  If you attempt to remove it, it puts itself back, almost immediately, often with another random name.  I was successful in removing this using the following tools/procedure:

1.  Clean the machine of all other spyware/adware using Spybot and CWShredder
2.  Download SilentRunners.VBS from www.silentrunners.org (more about this later).  Run this and print out the results.
3.  Reboot to safe mode and then remove entries for unknown IE toolbars, etc, as well as the line that starts the bad process.
4.  Reboot to normal.

If you need help in further interpreting the SilentRunners output, please post it here and I or someone else can assist you.

SilentRunners is a vb script written by a participant in the NTBugTraq mailing list.  The script searches through every known area of a Windows PC that can start a program and displays those lines.

ericpcAuthor Commented:
I think I might fixed it, I will leave it for half a day or so see if its gonna come back.

Thanks heaps guys
YOurs EC
Asta CuCommented:
Asta CuCommented:
Thank you, if problem returns or other related issues arise to this; please comment and I'll respond when I can.
Best wishes,
":0) Asta
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 8
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now