[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Can't stop pop ups

Posted on 2006-03-31
Medium Priority
Last Modified: 2013-11-28
I have a computer that I have run Spy-bot and Ad-Aware on both have removed spyware and now show the system to be clean. I have also run Anti-Virus software on this machine and it to shows it to be free of viruses, although I fear the software may be a little out dated. In addition I have recently installed SP2 to help with the pop-ups and such. But the pops up just keep on comming. Looking for any suggestions and or ideas to help me get to the bottom of this problem.
Question by:dowhatyoudo22
  • 5
  • 2
  • 2
  • +4
LVL 27

Expert Comment

ID: 16344685
Run this utilitiy in Safe Mode.
Run HiJackThis in Safe Mode as well. Post your log file for analysis in the second link.
Download: http://www.spywareinfo.com/~merijn/
Post here: http://www.hijackthis.de/
Make sure that all of your Temp files including IE Temp files are cleared prior to scans.
Check your MSCONFIG for entries that should obviously be removed.
Click Start>Run>MSCONFIG>Startup tab
LVL 53

Expert Comment

by:Will Szymkowski
ID: 16345405
Also you might want to disable/remove windows messenger. This will also work b/c windows messenger is a source of adware/popups

to remove it from your computer type this in the "Run" command line...

RunDll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove

to just disable it do the following

(1) Select "Start"
(2) Choose "Control Panel"
(3) Choose "Administrative Tools"
(4) Choose "Services"
(5) Right-click on "Messenger"
(6) Select "Stop"
To permanently disable Messenger:
(7) Right click "Messenger"
(8) Select "Properties"
(9) Change "Startup Type" to "Disabled" and click "OK"

Another thing I would suggest is go to www.download.com and download Adaware SE Personal 6.0 and Spybot Searcha and Destroy. Run these programs in safemode

Hope this helps...

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 47

Expert Comment

ID: 16345915
As already suggested, a hijackthis log would be of great help for us.
If we can see your Hijackthis log and if the cause of those popups show up in the log, we will be able to tell you exactly what tools to use to remove those popups.
Bad entries that shows up in the log points to a specific malware infections that needs a spicific tools.

Please download HijackThis 1.99.1
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
and click "Analyse", "Save".  Post a link to the saved list here.
LVL 47

Expert Comment

ID: 16345991
Ooops... now where did that come from? lol.

Please DO NOT run Hijackthis in safe mode if you can run it in normal mode.
Hijackthis must be run in normal mode in order for all entries to show up. (especially services)

Hijackthis is a great diagnostic tool, so instead of trying and downloading many scanners to see which one removes the popups, hijackthis can tell us exactly what tool is needed to fix the problem.


Author Comment

ID: 16346341

Expert Comment

ID: 16346708

Works where all the others listed above have failed.

Expert Comment

ID: 16346722
mywebsearch will be removed by spysweeper
LVL 47

Expert Comment

ID: 16346820
Your Hijackthis log shows a vundo infection and a narrator/qoologic infection.

Let's get rid of vundo first( you have the latest vundo variant there)
1. Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.

That should get rid of half of the popups, the other half is qoologic.

2. Ewido will get rid of qoologic:
Please, Download and install the free version of Ewido anti-malware.
Update first then scan in safe mode. Ewido has to be run in Safe Mode to tackle qoo files.

If Ewido fails then we'll help you remove it manually.
there is also another scanner that gets rid of qoologic:
AdwareAway -- 5 day trial only
LVL 47

Accepted Solution

rpggamergirl earned 1000 total points
ID: 16346910
Only fix these entries after running vundofix because Hijackthis can't remove 2 of these entries without any help, vundo files starts before Windows loads. If Vundofix fails to remove Vundo then there is plan B. If vundofix is successfull then vundo entries will be gone or their files are missing in HJT lines.

Fix these entries if still present, after running Vundofix:
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\gebcc.dll
O20 - Winlogon Notify: gebcc - C:\WINDOWS\System32\gebcc.dll

this one below is a qoologic infection:
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wywyoo.exe reg_run

this one below is nothing special just a bad extra context menu (rightclick menu)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSzeb008BXUS_ZCxdm2 38YYUS

Expert Comment

ID: 16352076
MyWebSearch is a spyware/trojan, in order to remove it go to
ControlPanel -> Add/Remove programs, find it in the list, and just
click Remove ;) it's that easy :)

Notice all of the programs that are installed and have something
like "search" or "ads" or "ad" as a word in its caption. Like
"MyWebSearch", "PowerSearch", "MyAdClient", etc.. Those are
all potential malware.

Also, to be 100% sure, read the following.

Step 1:

First of all when you start HijackThis, click on the "Open the Misc Tools section" button.
Under "System tools", click "Open process manager" button.
You should see a list of processes currently running on your comp.
Try to kill as much as possible, avoiding svchost.exe. Those which belong to the
Windows would not be able to be terminated. So don't worry. This step is
important, because this way you are shutting down any processes that could
reverse back everything you clean up.

When you have finnished killing all possible processes, you should see in that list only
these processes (sorted by Image Name):
- csrss.exe
- explorer.exe
- HijackThis.exe
- lsass.exe
- services.exe
- smss.exe
- svchost.exe
- System
- System Idle Process
- winlogon.exe
and only "svchost.exe" should be repeated several times.

If you suddenly kill explorer.exe all of the icons from desktop will dissapear, and
your TaskBar will be gone too, but that's not a big deal. Just press Ctrl+Alt+Del,
and Task Manager will pop up, then go to: "File -> New Task (Run...)" and type
"explorer" and click the "Open" button. That will restore your desktop back.

AFTER, and only after you have killed all the other processes, you can start the
next step. If you fail to kill all of the processes (except the above), the chance
of success is somehow lowered.

Step 2:

If HijackThis is started, close it and start it again. Click on the
"Do a system scan only" button, and then select the following items:

O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\gebcc.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wywyoo.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSzeb008BXUS_ZCxdm2 38YYUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111. MmVrT/iTunesSetup.exe

(If the Domain "alta.local" does not belong to your ISP, or your firms network,
these entries should be fixed)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alta.local
O17 - HKLM\Software\..\Telephony: DomainName = alta.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alta.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alta.local

O20 - Winlogon Notify: gebcc - C:\WINDOWS\System32\gebcc.dll

(According to http://www.greatis.com/appdata/d/_/_sysdir__pcanotify.dll.htm
this item is a trojan)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

Now, click the "Fix checked" button (if any Windows Explorer or Internet Explorer
windows are open, close them before fixing). After the fixing has been done,
reboot your computer. When computer reboots, open HijackThis, click on the
"Do a system scan and save a logfile". Save the log to the Desktop, then connect
to the internet and upload your log to www.hijackthis.de and when you do that,
you should see a link to your log, after successful upload. Copy that link here
for further check to make sure everything went ok.

LVL 47

Expert Comment

ID: 16352355

We need to be really careful what to advice to people who are asking for our help. They have put their pc in our hands, we could ruin it or fix it.
I've given a bad advice without thorough research before and the user paid for my bad judgement.

There are things that are not right in your post,
Anyway, I'm just going to pick the most important one that I'm concern about.
>>>(According to http://www.greatis.com/appdata/d/_/_sysdir__pcanotify.dll.htm
this item is a trojan)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll<<<

The above entry is a legit entry from Symantec's pcAnywhere.
It is so easy to get mixed up with files that has same names. What you need to do is look where the file is running from and what lines in Hijackthis.

greatis.com in your link is talking about a trojan that is a startup entry NOT a winlogon notify key.
You see the difference? greatis is talking about a PCANotify.dll trojan which is located same location but in the 04 lines in Hijackthis.
This one below is NOT a startup entry, not an 04 lines but an 020 line. This one belongs to pcAnywhere.
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

Please don't take it as a personal attack on you because that's not my intention at all. Just trying to help you not make a bad judgement as I did.

Expert Comment

ID: 16352547
Thank you for that notice, none offense taken :)
I apologize, because I didn't read it throughly, cause there were so many
items to check.

However, dowhatyoudo22, if you already removed that item, don't worry.
HijackThis keeps the backup of the items it has removed. So, you can
freely remove ALL of the items and then restart your machine to see which
things don't work anymore, and then go back to HT and just press the
"View the list of backups" and restore the item needed.

But, this should be done only in extreme situations, where you cannot
tell for sure what's the cause of the infection. In this case, just restore
that one item:
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

rpggamergirl, thank you for your notice :)

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question