Can't stop pop ups

Posted on 2006-03-31
Last Modified: 2013-11-28
I have a computer that I have run Spy-bot and Ad-Aware on both have removed spyware and now show the system to be clean. I have also run Anti-Virus software on this machine and it to shows it to be free of viruses, although I fear the software may be a little out dated. In addition I have recently installed SP2 to help with the pop-ups and such. But the pops up just keep on comming. Looking for any suggestions and or ideas to help me get to the bottom of this problem.
Question by:dowhatyoudo22
    LVL 27

    Expert Comment

    Run this utilitiy in Safe Mode.
    Run HiJackThis in Safe Mode as well. Post your log file for analysis in the second link.
    Post here:
    Make sure that all of your Temp files including IE Temp files are cleared prior to scans.
    Check your MSCONFIG for entries that should obviously be removed.
    Click Start>Run>MSCONFIG>Startup tab
    LVL 17

    Expert Comment

    LVL 53

    Expert Comment

    by:Will Szymkowski
    Also you might want to disable/remove windows messenger. This will also work b/c windows messenger is a source of adware/popups

    to remove it from your computer type this in the "Run" command line...

    RunDll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove

    to just disable it do the following

    (1) Select "Start"
    (2) Choose "Control Panel"
    (3) Choose "Administrative Tools"
    (4) Choose "Services"
    (5) Right-click on "Messenger"
    (6) Select "Stop"
    To permanently disable Messenger:
    (7) Right click "Messenger"
    (8) Select "Properties"
    (9) Change "Startup Type" to "Disabled" and click "OK"

    Another thing I would suggest is go to and download Adaware SE Personal 6.0 and Spybot Searcha and Destroy. Run these programs in safemode

    Hope this helps...

    LVL 47

    Expert Comment

    As already suggested, a hijackthis log would be of great help for us.
    If we can see your Hijackthis log and if the cause of those popups show up in the log, we will be able to tell you exactly what tools to use to remove those popups.
    Bad entries that shows up in the log points to a specific malware infections that needs a spicific tools.

    Please download HijackThis 1.99.1
    Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log,
    then at the bottom left corner click "paste"
    Copy the address/url and post it here:

    Or copy and paste the log at;
    and click "Analyse", "Save".  Post a link to the saved list here.
    LVL 47

    Expert Comment

    Ooops... now where did that come from? lol.

    Please DO NOT run Hijackthis in safe mode if you can run it in normal mode.
    Hijackthis must be run in normal mode in order for all entries to show up. (especially services)

    Hijackthis is a great diagnostic tool, so instead of trying and downloading many scanners to see which one removes the popups, hijackthis can tell us exactly what tool is needed to fix the problem.


    Author Comment

    LVL 3

    Expert Comment


    Works where all the others listed above have failed.
    LVL 3

    Expert Comment

    mywebsearch will be removed by spysweeper
    LVL 47

    Expert Comment

    Your Hijackthis log shows a vundo infection and a narrator/qoologic infection.

    Let's get rid of vundo first( you have the latest vundo variant there)
    1. Please download VundoFix.exe to your desktop.
    Double-click VundoFix.exe to run it.
    Put a check next to "Run VundoFix as a task".
    You will receive a message saying vundofix will close and re-open in a minute or less.
    Click OK
    When VundoFix re-opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.

    That should get rid of half of the popups, the other half is qoologic.

    2. Ewido will get rid of qoologic:
    Please, Download and install the free version of Ewido anti-malware.
    Update first then scan in safe mode. Ewido has to be run in Safe Mode to tackle qoo files.

    If Ewido fails then we'll help you remove it manually.
    there is also another scanner that gets rid of qoologic:
    AdwareAway -- 5 day trial only
    LVL 47

    Accepted Solution

    Only fix these entries after running vundofix because Hijackthis can't remove 2 of these entries without any help, vundo files starts before Windows loads. If Vundofix fails to remove Vundo then there is plan B. If vundofix is successfull then vundo entries will be gone or their files are missing in HJT lines.

    Fix these entries if still present, after running Vundofix:
    O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\gebcc.dll
    O20 - Winlogon Notify: gebcc - C:\WINDOWS\System32\gebcc.dll

    this one below is a qoologic infection:
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wywyoo.exe reg_run

    this one below is nothing special just a bad extra context menu (rightclick menu)
    O8 - Extra context menu item: &Search - 38YYUS
    LVL 8

    Expert Comment

    MyWebSearch is a spyware/trojan, in order to remove it go to
    ControlPanel -> Add/Remove programs, find it in the list, and just
    click Remove ;) it's that easy :)

    Notice all of the programs that are installed and have something
    like "search" or "ads" or "ad" as a word in its caption. Like
    "MyWebSearch", "PowerSearch", "MyAdClient", etc.. Those are
    all potential malware.

    Also, to be 100% sure, read the following.

    Step 1:

    First of all when you start HijackThis, click on the "Open the Misc Tools section" button.
    Under "System tools", click "Open process manager" button.
    You should see a list of processes currently running on your comp.
    Try to kill as much as possible, avoiding svchost.exe. Those which belong to the
    Windows would not be able to be terminated. So don't worry. This step is
    important, because this way you are shutting down any processes that could
    reverse back everything you clean up.

    When you have finnished killing all possible processes, you should see in that list only
    these processes (sorted by Image Name):
    - csrss.exe
    - explorer.exe
    - HijackThis.exe
    - lsass.exe
    - services.exe
    - smss.exe
    - svchost.exe
    - System
    - System Idle Process
    - winlogon.exe
    and only "svchost.exe" should be repeated several times.

    If you suddenly kill explorer.exe all of the icons from desktop will dissapear, and
    your TaskBar will be gone too, but that's not a big deal. Just press Ctrl+Alt+Del,
    and Task Manager will pop up, then go to: "File -> New Task (Run...)" and type
    "explorer" and click the "Open" button. That will restore your desktop back.

    AFTER, and only after you have killed all the other processes, you can start the
    next step. If you fail to kill all of the processes (except the above), the chance
    of success is somehow lowered.

    Step 2:

    If HijackThis is started, close it and start it again. Click on the
    "Do a system scan only" button, and then select the following items:

    O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\gebcc.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wywyoo.exe reg_run
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    O8 - Extra context menu item: &Search - 38YYUS

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - MmVrT/iTunesSetup.exe

    (If the Domain "alta.local" does not belong to your ISP, or your firms network,
    these entries should be fixed)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alta.local
    O17 - HKLM\Software\..\Telephony: DomainName = alta.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alta.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alta.local

    O20 - Winlogon Notify: gebcc - C:\WINDOWS\System32\gebcc.dll

    (According to
    this item is a trojan)
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

    Now, click the "Fix checked" button (if any Windows Explorer or Internet Explorer
    windows are open, close them before fixing). After the fixing has been done,
    reboot your computer. When computer reboots, open HijackThis, click on the
    "Do a system scan and save a logfile". Save the log to the Desktop, then connect
    to the internet and upload your log to and when you do that,
    you should see a link to your log, after successful upload. Copy that link here
    for further check to make sure everything went ok.

    LVL 47

    Expert Comment


    We need to be really careful what to advice to people who are asking for our help. They have put their pc in our hands, we could ruin it or fix it.
    I've given a bad advice without thorough research before and the user paid for my bad judgement.

    There are things that are not right in your post,
    Anyway, I'm just going to pick the most important one that I'm concern about.
    >>>(According to
    this item is a trojan)
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll<<<

    The above entry is a legit entry from Symantec's pcAnywhere.
    It is so easy to get mixed up with files that has same names. What you need to do is look where the file is running from and what lines in Hijackthis. in your link is talking about a trojan that is a startup entry NOT a winlogon notify key.
    You see the difference? greatis is talking about a PCANotify.dll trojan which is located same location but in the 04 lines in Hijackthis.
    This one below is NOT a startup entry, not an 04 lines but an 020 line. This one belongs to pcAnywhere.
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

    Please don't take it as a personal attack on you because that's not my intention at all. Just trying to help you not make a bad judgement as I did.
    LVL 8

    Expert Comment

    Thank you for that notice, none offense taken :)
    I apologize, because I didn't read it throughly, cause there were so many
    items to check.

    However, dowhatyoudo22, if you already removed that item, don't worry.
    HijackThis keeps the backup of the items it has removed. So, you can
    freely remove ALL of the items and then restart your machine to see which
    things don't work anymore, and then go back to HT and just press the
    "View the list of backups" and restore the item needed.

    But, this should be done only in extreme situations, where you cannot
    tell for sure what's the cause of the infection. In this case, just restore
    that one item:
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

    rpggamergirl, thank you for your notice :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    An overview of how to create reports in Adobe Analytics (formerly Omniture Site Catalyst) using pageNames, events, eVars and props. This video will show you how to install the Omniture Debugger tool so can see (and test) what is being passed int…
    Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now