Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to remove the popup from advnt01.com?

Posted on 2004-11-01
14
Medium Priority
?
4,930 Views
Last Modified: 2008-01-09
Hi all,

         My computer popup a website from advnt01.com all the time, some softporn poster. Here is my log file from Hijackthis, please have a look for me.

Logfile of HijackThis v1.98.2
Scan saved at 09:28:32, on 02/11/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\EPOAgent\naimas32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Xtray\xtray_link.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\webshots.scr
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\ofcdog.exe
C:\OfficeScan NT\PCCNTMON.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\npotts.000\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rdintra/RDIntranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Xtray] "C:\Program Files\Xtray\xtray_link.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ricedaubney.com.au
O17 - HKLM\Software\..\Telephony: DomainName = corp.ricedaubney.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ricedaubney.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.ricedaubney.com.au
Cheers
Yours EC
0
Comment
Question by:ericpc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
  • 2
  • +1
14 Comments
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 12468429
Have you run any spyware scanners?  Such as Spybot Search & Destory?  see http://security.kolla.de
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468430
Did you first scan your system with a good updated Viruscan program?  Then use standard spyware tools?  We have process here which is ideal rather than posting your entire hijackthis log... More shortly
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12468438
Hello ericpc =)

Plzz try running getting these tools,
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Stinger ==> http://vil.nai.com/vil/stinger
========================================================

Turn off ur System Restore before cleaning the system if its WinME\XP >> http://www.pchell.com/virus/systemrestore.shtml
Then Run all of them one by one in safemode and delete everything they detect.
Then delete the temporary internet files and history of IE
and run Disk Cleanup on ur hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ??
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 27

Accepted Solution

by:
Asta Cu earned 1000 total points
ID: 12468449
Immediate concerns are:
:\Program Files\Xtray\xtray_link.exe    
Nasty   running process. (xtray_link.exe)
TROJ_VB.JL trojan xtray_link.exe   This is a nasty process! You should fix it and try to delete it manually!
  O4 - HKLM\..\Run: [Xtray] "C:\Program Files\Xtray\xtray_link.exe"    
Nasty   The entered application Xtray was identified: Xtray. Hit rate: 99 % (result)   Must be fixed!

HijackThis tool and process recommendations here:
http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html

Central link for Spyware tools here:
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468458
Be sure that PRIOR to doing any cleanups... you go to Control Panel - System - System Restore to turn if off.... then clean your system, reboot and turn it back on or the problems you fix will return.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12468466
and actually www.advnt01.com is related to 7AdPower Dialer adware !!
So plzz follow here for its removal instructions >> http://securityresponse.symantec.com/avcenter/venc/data/dialer.7adpower.html
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468474
I'm happy to see that you're using Windows XP SP2.... take the time to view the video in this link, it is VERY informatiive and well worth your time to get to know the power and uses for SP2.
***** This is an excellent link, very informative, and thanks to
Fatal_Exception for showing me this! It includes a step-by-step video about XP SP2 and the new features and configuration option overview. Top Notch!
http://65.24.134.81/KipSolutions/SP2/SP2Overview.htm *****
0
 

Author Comment

by:ericpc
ID: 12468586
I tried Adware and spybot, no luck. Xtry_link.exe does looks nasty, can I clean it up by just remove the entry from registry?

Cheers
Yours EC
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468722
Do you speak German?  Is this meaningful to you?  Most elements of this exe appear to be OK (gut); others not.
-- Resultate auf den Namen: "Xtray" --



Name Datei Status
AUXXTRAY au30setp.exe  Gut
igfxtray igfxtray.exe  Gut
MPXTray mpxptray.exe  Gut
VortexTray au30setp.exeasp4tray.exeasp4setp.exe  Gut
VortexTray au30setp.exe asp4tray.exe asp4setp.exe Gut
Xtray xtray_link.exe Böse

-- Resultate auf die Datei: "xtray_link.exe" --

Datei Name Status
xtray_link.exe Xtray Böse
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468733
That is a TROJAN that must be removed from your startup.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 12468753
Not sure if this will apply to you, but I'll post it anyway:

I've seen certain instances where a random file name is set in your registry to start when windows starts.  If you attempt to remove it, it puts itself back, almost immediately, often with another random name.  I was successful in removing this using the following tools/procedure:

1.  Clean the machine of all other spyware/adware using Spybot and CWShredder
2.  Download SilentRunners.VBS from www.silentrunners.org (more about this later).  Run this and print out the results.
3.  Reboot to safe mode and then remove entries for unknown IE toolbars, etc, as well as the line that starts the bad process.
4.  Reboot to normal.

If you need help in further interpreting the SilentRunners output, please post it here and I or someone else can assist you.

SilentRunners is a vb script written by a participant in the NTBugTraq mailing list.  The script searches through every known area of a Windows PC that can start a program and displays those lines.

0
 

Author Comment

by:ericpc
ID: 12469022
I think I might fixed it, I will leave it for half a day or so see if its gonna come back.

Thanks heaps guys
YOurs EC
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12469028
":0)
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12483002
Thank you, if problem returns or other related issues arise to this; please comment and I'll respond when I can.
Best wishes,
":0) Asta
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out what's been happening in the Experts Exchange community.
What we learned in Webroot's webinar on multi-vector protection.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question