Solved

Pop ups

Posted on 2006-06-10
4
2,839 Views
Last Modified: 2013-12-04
Hi Experts,
I have Windows XP Home system that has pop ups that won't stop.  I used ad-aware, cwshredder, pop up cop, look2me destroyer, symantec, etc and still have the pop ups.  Reviewing past posts here, I used the hijack file and this is the results:

Ideas?  Help?   thanks!

Logfile of HijackThis v1.99.1
Scan saved at 1:57:45 PM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\IA\command.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wmiapsv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for hijackthis_199.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\rundll32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne1.attbb.net;localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe,lcwvsud.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [defender] C:\\defender23a.exe
O4 - HKCU\..\Run: [glkhj] C:\WINNT\system32\kwynip.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://www.americangreetings.com/cnp/Install/AxCtp.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: DateTime - C:\WINNT\system32\cpyptdlg.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\IA\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINNT\wmiapsv.exe

0
Comment
Question by:Cert98
  • 2
4 Comments
 
LVL 97

Expert Comment

by:war1
Comment Utility
Greetings, Cert98 !

1. If you have Windows Messenger Service, disable it.  The Messenger is the source of popups and virus.

http://www.itc.virginia.edu/desktop/docs/messagepopup/

2. Use Ewido to remove hard to remove spyware
http://www.ewido.net/en/
or
Spy Sweeper
http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html

3. I will look at your HijackThis log.

Best wishes!
0
 
LVL 97

Expert Comment

by:war1
Comment Utility
Cert98,

You should not have posted the HijackThis log here.  Instead, run an an analysis at http://hijackthis.de  then save the result and post a link to the result here.  Here is a link to the analyzed log

http://hijackthis.de/logfiles/bb54205d80b91341a210761f812c9d89.html

1. Delete the following item or have Killbox or Unlocker the remove following files:
Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html

C:\WINNT\IA\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\wmiapsv.exe

2. Remove Sursidekick
http://www.spyany.com/program/article_adw_rm_SurfSideKick.html

3. Are you sure you removed Look2Me?

Use Vx2Finder to remove LookToMe
http://www.pchell.com/downloads/vx2finder.exe

Download VX2FinderThe currently recommended tool for removing Look2Me.
If it finds this virus, disconnect from the Internet (and stay off until done cleaning).
Have VX2Finder search for Look2Me, then click “Delete these files.”
Reboot when asked to do so.
Once Windows is reloaded, relaunch VX2 Finder and click the User Agent, Guardian.reg, and Restore Policy buttons, saying OK each time.
When finished, reboot again.
Run VX2 still again, have it check for the virus a final time to confirm you are clean.

3. Check the box next to the following items and have HijackThis "Fix Checked".  After doing 1) and 2), some of the entries may not be in the HijackThis log anymore.

C:\WINNT\IA\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\wmiapsv.exe
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe,lcwvsud.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [defender] C:\\defender23a.exe
O4 - HKCU\..\Run: [glkhj] C:\WINNT\system32\kwynip.exe reg_run            
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: DateTime - C:\WINNT\system32\cpyptdlg.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\IA\command.exe
O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINNT\wmiapsv.exe

4. If you did not install the following items, have HJT remove them.

O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://www.americangreetings.com/cnp/Install/AxCtp.cab
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
Comment Utility
Hi,
What you have there is a qoologic, Alcan, and SurkSideKick infections!
Hijackthis can not fix the entries related to these infections, they will just come back so you need other tools especially made to fix these infections.

In add/remove Programs uninstall "SurfSideKick 3" if that doesn't work proceed below to download BFU and SideKickFix.bat.
Please follow the directions carefully:

1. a) Download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the file on your Desktop, and choose Extract All.
Click Next.
In the box to choose where to extract the files to:
Click Browse.
Click on the + sign next to My Computer
Click on Local Disk (C:)
Click Make New Folder
Type in BFU
Click Next, and uncheck the Show Extracted Files box and then click Finish.

b) Download sidekickFix.bat
http://downloads.subratam.org/Lon/sidekickFix.bat
(rightclick on that link and choose save as)
Place sidekickFix.bat in your C:\BFU - folder. (Important!)
Close all browsers and explorer folders.
Double-click on sidekickFix.bat
Click Yes and follow the prompts, when prompted to restart the PC please do so.


Proceed to download fix for qoologic and Alcan infections:
2.  Download Qoofix.bat and put it in your C:\BFU folder that you made earlier(important)
http://downloads.subratam.org/Lon/qooFix.bat
Download qoofix.bat (rightclick on this link and choose save as)
Place qoofix.bat in your C:BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please download Alcra Plus remover.


3. Also download Alcra PLUS Remover:
http://metallica.geekstogo.com/alcanshorty.bfu
righclick on the link and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with this yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


4. Then, please go to Start > My Computer and navigate to the C:\BFU folder (important)
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon  and select "alcanshorty.bfu"
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.


NOTE: In your C:\BFU folder you would put these:
1. sidekickFix.bat
2. Qoofix.bat
3. Alcra PLUS Remover (the alcanshorty.bfu)

After you've run all those tools, post a new hijackthis log, to check that bad entries are gone, if the tools failed then we'll remove them manually.
0
 
LVL 2

Expert Comment

by:nikorba
Comment Utility
Hi there buddy
I just Advise you to upgrade to Internet Explorer 7 beta 2 , Its pop up blocker is very strong
https://www.microsoft.com/windows/ie/default.mspx

In Addition I Advise you to use Kaspersky Internet Security 6.0 , It's All you need for your PC secuirty with too many tools.
if you are afraid that your computer may slow down ?
Don't worry , You can disable any tool of this program manually , so this problem would be done
http://www.kaspersky.com/productupdates?chapter=186437046

I hope It helps you :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Read about how to approach blogging and about ways to do it right. Stand out from the crowd and let your knowledge be consumed by a large audience. This article aims to explain how your blog should look like,  the most important things to do while b…
Read about how to choose the best possible content marketing agency to suit your needs. Content marketing has become an integral part of running a successful tech business, so it is wise to be informed.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now