Can't stop pop ups

I have a computer that I have run Spy-bot and Ad-Aware on both have removed spyware and now show the system to be clean. I have also run Anti-Virus software on this machine and it to shows it to be free of viruses, although I fear the software may be a little out dated. In addition I have recently installed SP2 to help with the pop-ups and such. But the pops up just keep on comming. Looking for any suggestions and or ideas to help me get to the bottom of this problem.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Run this utilitiy in Safe Mode.
Run HiJackThis in Safe Mode as well. Post your log file for analysis in the second link.
Post here:
Make sure that all of your Temp files including IE Temp files are cleared prior to scans.
Check your MSCONFIG for entries that should obviously be removed.
Click Start>Run>MSCONFIG>Startup tab
Dushan De SilvaTechnology ArchitectCommented:
Will SzymkowskiSenior Solution ArchitectCommented:
Also you might want to disable/remove windows messenger. This will also work b/c windows messenger is a source of adware/popups

to remove it from your computer type this in the "Run" command line...

RunDll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove

to just disable it do the following

(1) Select "Start"
(2) Choose "Control Panel"
(3) Choose "Administrative Tools"
(4) Choose "Services"
(5) Right-click on "Messenger"
(6) Select "Stop"
To permanently disable Messenger:
(7) Right click "Messenger"
(8) Select "Properties"
(9) Change "Startup Type" to "Disabled" and click "OK"

Another thing I would suggest is go to and download Adaware SE Personal 6.0 and Spybot Searcha and Destroy. Run these programs in safemode

Hope this helps...

Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

As already suggested, a hijackthis log would be of great help for us.
If we can see your Hijackthis log and if the cause of those popups show up in the log, we will be able to tell you exactly what tools to use to remove those popups.
Bad entries that shows up in the log points to a specific malware infections that needs a spicific tools.

Please download HijackThis 1.99.1
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log,
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at; 
and click "Analyse", "Save".  Post a link to the saved list here.
Ooops... now where did that come from? lol.

Please DO NOT run Hijackthis in safe mode if you can run it in normal mode.
Hijackthis must be run in normal mode in order for all entries to show up. (especially services)

Hijackthis is a great diagnostic tool, so instead of trying and downloading many scanners to see which one removes the popups, hijackthis can tell us exactly what tool is needed to fix the problem.

dowhatyoudo22Author Commented:

Works where all the others listed above have failed.
mywebsearch will be removed by spysweeper
Your Hijackthis log shows a vundo infection and a narrator/qoologic infection.

Let's get rid of vundo first( you have the latest vundo variant there)
1. Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.

That should get rid of half of the popups, the other half is qoologic.

2. Ewido will get rid of qoologic:
Please, Download and install the free version of Ewido anti-malware.
Update first then scan in safe mode. Ewido has to be run in Safe Mode to tackle qoo files.

If Ewido fails then we'll help you remove it manually.
there is also another scanner that gets rid of qoologic:
AdwareAway -- 5 day trial only
Only fix these entries after running vundofix because Hijackthis can't remove 2 of these entries without any help, vundo files starts before Windows loads. If Vundofix fails to remove Vundo then there is plan B. If vundofix is successfull then vundo entries will be gone or their files are missing in HJT lines.

Fix these entries if still present, after running Vundofix:
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\gebcc.dll
O20 - Winlogon Notify: gebcc - C:\WINDOWS\System32\gebcc.dll

this one below is a qoologic infection:
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wywyoo.exe reg_run

this one below is nothing special just a bad extra context menu (rightclick menu)
O8 - Extra context menu item: &Search - 38YYUS

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MyWebSearch is a spyware/trojan, in order to remove it go to
ControlPanel -> Add/Remove programs, find it in the list, and just
click Remove ;) it's that easy :)

Notice all of the programs that are installed and have something
like "search" or "ads" or "ad" as a word in its caption. Like
"MyWebSearch", "PowerSearch", "MyAdClient", etc.. Those are
all potential malware.

Also, to be 100% sure, read the following.

Step 1:

First of all when you start HijackThis, click on the "Open the Misc Tools section" button.
Under "System tools", click "Open process manager" button.
You should see a list of processes currently running on your comp.
Try to kill as much as possible, avoiding svchost.exe. Those which belong to the
Windows would not be able to be terminated. So don't worry. This step is
important, because this way you are shutting down any processes that could
reverse back everything you clean up.

When you have finnished killing all possible processes, you should see in that list only
these processes (sorted by Image Name):
- csrss.exe
- explorer.exe
- HijackThis.exe
- lsass.exe
- services.exe
- smss.exe
- svchost.exe
- System
- System Idle Process
- winlogon.exe
and only "svchost.exe" should be repeated several times.

If you suddenly kill explorer.exe all of the icons from desktop will dissapear, and
your TaskBar will be gone too, but that's not a big deal. Just press Ctrl+Alt+Del,
and Task Manager will pop up, then go to: "File -> New Task (Run...)" and type
"explorer" and click the "Open" button. That will restore your desktop back.

AFTER, and only after you have killed all the other processes, you can start the
next step. If you fail to kill all of the processes (except the above), the chance
of success is somehow lowered.

Step 2:

If HijackThis is started, close it and start it again. Click on the
"Do a system scan only" button, and then select the following items:

O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\gebcc.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wywyoo.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Search - 38YYUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - MmVrT/iTunesSetup.exe

(If the Domain "alta.local" does not belong to your ISP, or your firms network,
these entries should be fixed)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alta.local
O17 - HKLM\Software\..\Telephony: DomainName = alta.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alta.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alta.local

O20 - Winlogon Notify: gebcc - C:\WINDOWS\System32\gebcc.dll

(According to
this item is a trojan)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

Now, click the "Fix checked" button (if any Windows Explorer or Internet Explorer
windows are open, close them before fixing). After the fixing has been done,
reboot your computer. When computer reboots, open HijackThis, click on the
"Do a system scan and save a logfile". Save the log to the Desktop, then connect
to the internet and upload your log to and when you do that,
you should see a link to your log, after successful upload. Copy that link here
for further check to make sure everything went ok.


We need to be really careful what to advice to people who are asking for our help. They have put their pc in our hands, we could ruin it or fix it.
I've given a bad advice without thorough research before and the user paid for my bad judgement.

There are things that are not right in your post,
Anyway, I'm just going to pick the most important one that I'm concern about.
>>>(According to
this item is a trojan)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll<<<

The above entry is a legit entry from Symantec's pcAnywhere.
It is so easy to get mixed up with files that has same names. What you need to do is look where the file is running from and what lines in Hijackthis. in your link is talking about a trojan that is a startup entry NOT a winlogon notify key.
You see the difference? greatis is talking about a PCANotify.dll trojan which is located same location but in the 04 lines in Hijackthis.
This one below is NOT a startup entry, not an 04 lines but an 020 line. This one belongs to pcAnywhere.
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

Please don't take it as a personal attack on you because that's not my intention at all. Just trying to help you not make a bad judgement as I did.
Thank you for that notice, none offense taken :)
I apologize, because I didn't read it throughly, cause there were so many
items to check.

However, dowhatyoudo22, if you already removed that item, don't worry.
HijackThis keeps the backup of the items it has removed. So, you can
freely remove ALL of the items and then restart your machine to see which
things don't work anymore, and then go back to HT and just press the
"View the list of backups" and restore the item needed.

But, this should be done only in extreme situations, where you cannot
tell for sure what's the cause of the infection. In this case, just restore
that one item:
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

rpggamergirl, thank you for your notice :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Marketing

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.