How to remove the popup from

Posted on 2004-11-01
Last Modified: 2008-01-09
Hi all,

         My computer popup a website from all the time, some softporn poster. Here is my log file from Hijackthis, please have a look for me.

Logfile of HijackThis v1.98.2
Scan saved at 09:28:32, on 02/11/04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Xtray\xtray_link.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\ofcdog.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\npotts.000\LOCALS~1\Temp\Temporary Directory 1 for\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rdintra/RDIntranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Xtray] "C:\Program Files\Xtray\xtray_link.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
Yours EC
Question by:ericpc
    LVL 95

    Expert Comment

    by:Lee W, MVP
    Have you run any spyware scanners?  Such as Spybot Search & Destory?  see
    LVL 27

    Expert Comment

    by:Asta Cu
    Did you first scan your system with a good updated Viruscan program?  Then use standard spyware tools?  We have process here which is ideal rather than posting your entire hijackthis log... More shortly
    LVL 65

    Expert Comment

    Hello ericpc =)

    Plzz try running getting these tools,
    AdAware ==>
    SpyBot  ==>
    CoolWebShredder ==>
    Stinger ==>

    Turn off ur System Restore before cleaning the system if its WinME\XP >>
    Then Run all of them one by one in safemode and delete everything they detect.
    Then delete the temporary internet files and history of IE
    and run Disk Cleanup on ur hard drive to delete those temp and junk files.
    Restart back in Normal Mode to check for the problems now ??
    LVL 27

    Accepted Solution

    Immediate concerns are:
    :\Program Files\Xtray\xtray_link.exe    
    Nasty   running process. (xtray_link.exe)
    TROJ_VB.JL trojan xtray_link.exe   This is a nasty process! You should fix it and try to delete it manually!
      O4 - HKLM\..\Run: [Xtray] "C:\Program Files\Xtray\xtray_link.exe"    
    Nasty   The entered application Xtray was identified: Xtray. Hit rate: 99 % (result)   Must be fixed!

    HijackThis tool and process recommendations here:

    Central link for Spyware tools here:
    LVL 27

    Expert Comment

    by:Asta Cu
    Be sure that PRIOR to doing any cleanups... you go to Control Panel - System - System Restore to turn if off.... then clean your system, reboot and turn it back on or the problems you fix will return.
    LVL 65

    Expert Comment

    and actually is related to 7AdPower Dialer adware !!
    So plzz follow here for its removal instructions >>
    LVL 27

    Expert Comment

    by:Asta Cu
    I'm happy to see that you're using Windows XP SP2.... take the time to view the video in this link, it is VERY informatiive and well worth your time to get to know the power and uses for SP2.
    ***** This is an excellent link, very informative, and thanks to
    Fatal_Exception for showing me this! It includes a step-by-step video about XP SP2 and the new features and configuration option overview. Top Notch! *****

    Author Comment

    I tried Adware and spybot, no luck. Xtry_link.exe does looks nasty, can I clean it up by just remove the entry from registry?

    Yours EC
    LVL 27

    Expert Comment

    by:Asta Cu
    Do you speak German?  Is this meaningful to you?  Most elements of this exe appear to be OK (gut); others not.
    -- Resultate auf den Namen: "Xtray" --

    Name Datei Status
    AUXXTRAY au30setp.exe  Gut
    igfxtray igfxtray.exe  Gut
    MPXTray mpxptray.exe  Gut
    VortexTray au30setp.exeasp4tray.exeasp4setp.exe  Gut
    VortexTray au30setp.exe asp4tray.exe asp4setp.exe Gut
    Xtray xtray_link.exe Böse

    -- Resultate auf die Datei: "xtray_link.exe" --

    Datei Name Status
    xtray_link.exe Xtray Böse
    LVL 27

    Expert Comment

    by:Asta Cu
    That is a TROJAN that must be removed from your startup.
    LVL 95

    Expert Comment

    by:Lee W, MVP
    Not sure if this will apply to you, but I'll post it anyway:

    I've seen certain instances where a random file name is set in your registry to start when windows starts.  If you attempt to remove it, it puts itself back, almost immediately, often with another random name.  I was successful in removing this using the following tools/procedure:

    1.  Clean the machine of all other spyware/adware using Spybot and CWShredder
    2.  Download SilentRunners.VBS from (more about this later).  Run this and print out the results.
    3.  Reboot to safe mode and then remove entries for unknown IE toolbars, etc, as well as the line that starts the bad process.
    4.  Reboot to normal.

    If you need help in further interpreting the SilentRunners output, please post it here and I or someone else can assist you.

    SilentRunners is a vb script written by a participant in the NTBugTraq mailing list.  The script searches through every known area of a Windows PC that can start a program and displays those lines.


    Author Comment

    I think I might fixed it, I will leave it for half a day or so see if its gonna come back.

    Thanks heaps guys
    YOurs EC
    LVL 27

    Expert Comment

    by:Asta Cu
    LVL 27

    Expert Comment

    by:Asta Cu
    Thank you, if problem returns or other related issues arise to this; please comment and I'll respond when I can.
    Best wishes,
    ":0) Asta

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    846 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    3 Experts available now in Live!

    Get 1:1 Help Now