Pesty pop-ups being a pain.

Operating a PC with Windows XP Professional.

Ran Trendmicro, Ad-Aware, etc., all to no avial.

I would really appreciate some help. Thanks.



Kalira.

Please do this:

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Thank you. Here is the results of the file run:

Logfile of HijackThis v1.99.1
Scan saved at 11:51:57 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\RoboNanny\RoboNanny.exe
C:\Program Files\HP\Digital Imaging\bin\hposol08.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1108587075\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {02F31399-7F6C-E701-429F-F05D202671C7} - C:\DOCUME~1\Ken\APPLIC~1\TONSBO~1\thisbias.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [RoboNanny] C:\Program Files\RoboNanny\RoboNanny.exe
O4 - HKCU\..\Run: [Browse heart] C:\DOCUME~1\Ken\APPLIC~1\ABOUTP~1\webdrive.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6FE020-0513-4BCD-B23F-56B866707D46}: NameServer = 68.111.16.30,68.111.16.25
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1108587075\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from ActiveScan


* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

Thanks again. I had to run ActiveScan in Safe Mode because IE kept blowing off in regular mode. After the quote of your instructions to me, the ActiveScan Report is provided. Kalira.


=============





Incident Status Location

Adware:Adware/Lop Not disinfected c:\docume~1\ken\applic~1\aboutp~1\webdrive.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Fork bone slow bird\Poll Rect.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ken\Application Data\aboutplatform\czexqqdi.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ken\Application Data\aboutplatform\webdrive.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\0m0t3194.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\0m0t3194.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\0m0t3194.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\0m0t3194.default\cookies.txt[64.62.232.6/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\0m0t3194.default\cookies.txt[.ath.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\0m0t3194.default\cookies.txt[.belnk.com/]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Ken\Application Data\TONS BOLT\thisbias.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@ad.yieldmanager[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@atdmt[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@cassava[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@mediaplex[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@offeroptimizer[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@questionmarket[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ken\Cookies\karenkraft@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ken\Desktop\Temp-X\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ken\Desktop\Temp-X\SmitfraudFix.zip[SmitfraudFix/Process.exe]

* Click here to download ATF Cleaner by Atribune and save it to your desktop.


* Click Here and download Killbox and save it to your desktop.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O2 - BHO: (no name) - {02F31399-7F6C-E701-429F-F05D202671C7} - C:\DOCUME~1\Ken\APPLIC~1\TONSBO~1\thisbias.exe

O4 - HKCU\..\Run: [Browse heart] C:\DOCUME~1\Ken\APPLIC~1\ABOUTP~1\webdrive.exe


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.

• Put a tick by Standard File Kill.
• In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:
  
  C:\Documents and Settings\All Users\Application Data\Fork bone slow bird
  
  C:\Documents and Settings\Ken\Application Data\aboutplatform
  
  C:\Documents and Settings\Ken\Application Data\TONS BOLT
  
  
• Click on the button that has the red circle with the X in the middle after you enter each file.
• It will ask for confimation to delete the file.
• Click Yes.
• Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
• Killbox may tell you that one or more files do not exist.
• If that happens, just continue on with all the files. Be sure you don't miss any.
• Exit the Killbox.

* Run ATF Cleaner:

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  • If you use Firefox:
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

* Restart back into Windows normally now.


* Go here and do the BitDefender online virus scan.

• Click "I Agree" to agree to the EULA.
• Allow the ActiveX control to install when prompted.
• Click "Click here to scan" to begin the scan.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on "Click here to export the scan results"
• Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..

Note: You have to use Internet Explorer to do the online scan.


* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

I split the post you made for the other computer off into a new topic. We were not finished with the computer we were working on here.

You need to finish with what I asked you to do here and reply back to this topic with the info I asked you for from this computer only.

You posted the info from the other computer here again. Since you didn't follow up on this, I'm closing this topic. Make all posts regarding this different computer in the topic at the link below:

http://www.geekstogo.com/forum/index.php?a...37&t=121128

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.