Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Popups - I need help from an expert


  • Please log in to reply

#16
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Wow! Thanks for the very comprehensive instructions!

You and the rest of the staff really provide a terrific service! I made two donations to Geeks to Go - through PayPal and Amazon - but I don't think I'll get a Donor icon by my name because for each of those sites I use a different email address from my primary email address, which I registered on this forum. (Same personal domain name, but different aliases to minimize the chance of getting on spam lists.)

I did everything you told me to do ... and removed most of the optional 04- entries you suggested. I set up and ran Ad-Aware per your instructions, although some of your Advanced and Scanning Engine options didn't exactly match up with those in Ad-Aware. (I assume maybe they changed a few options in the latest version?) But I did the best I could, and removed everything it found. Then I rebooted, and below is a fresh HJT log.

I'll wait and see if I get any more popups. Sometimes it takes a day or so. I'm keeping my fingers crossed! Thanks again.

Logfile of HijackThis v1.98.2
Scan saved at 4:29:40 PM, on 12/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Dell\Solution Center\service.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\Program Files\Navnt\NAVAPW32.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\bin\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\Downloads\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
  • 0

Advertisements


#17
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Coachwife6,

I just got home ... and there's another popup ad! :tazz: I had no windows open ... it just appeared on my desktop. This one was for Christmas shopping again. To get more info, I clicked on their link, and it went to ClubReplica.com ... trying to sell me fake Rolex watches.

Is there anything else I can do, while a popup ad is there, to try to determine what launched it? Any more info I can give you about the ads?

I'm not an expert at this stuff at all. But is it possible that I have some kind of adware on my PC that is masquerading as a real program name? Is there some kind of diagnostic program that can go through my running processes and make sure they are all what they are supposed to be?

I'm out of me league here. You obviously really know what you're doing. What do you recommend for the next step? I really want to beat this thing.

Thanks again!

Jeff
  • 0

#18
admin

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Let's just try this and see what happens.

Download the free VX2 Cleaner here
  • Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
  • Install the VX2 Cleaner
  • Start Ad-Aware SE build 1.05
  • Go to “Plug-ins”
  • Select the VX2 Cleaner plug-in and click “Run Plugin”
  • If your computer isn't infected, click "close"
If your computer is infected:
  • Select “Clean System”
  • Reboot your computer
  • Scan your computer with Ad-Aware
  • Remove any VX2 objects detected
  • Reboot your computer again
  • Run a second scan to make sure the files have been removed from your computer

  • 0

#19
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I just installed and ran the VX2 Cleaner, but when finished it said Status: System Clean.

I guess that's good, but I was sure hoping it would find something.

I'm ready for the next step. Thanks!

Jeff
  • 0

#20
uzi

uzi

    New Member

  • Member
  • Pip
  • 5 posts
Hi
Here some additional information that will help you!

The IP Address this popup is comming from is: 69.50.160.100
The page you are calling is http://69.50.160.100...lick/popup2.php
This side belongs to intercage.com and runs on a customer block from Atrivo,200 Paul Avenue San Francisco CA
The guy running this popup bull is - Kacperski, Emil - [email protected]
:tazz:
Keep all of us updated ...
  • 0

#21
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
You are correct, sir!

I clicked on your http://69.50.160.100...lick/popup2.php link, and it does bring me to exactly the same popup(s) I've been getting. Each time I go to it I get a different popup, but they all look (unfortunately too) familiar.

My real question now is ... How can I stop them. All the Spyware/Adware cleaners say I'm clean. Is there something in my PC that they're not finding? My latest theory is that these may be "timed popups"(?) that are the result of some web site I visited earlier. Does that make sense? If so, is there any way to figure out what site I visit that causes these?
  • 0

#22
uzi

uzi

    New Member

  • Member
  • Pip
  • 5 posts
I see 2 identical entries in HThis that I have on my PC

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

and

O4 - HKLM\..\Run: [POINTER] point32.exe

point32 is the mouse
not sure about the extra context menu item

I try to hunt this thing down too
  • 0

#23
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
JeffR:

Download the newest version of Hijack This - it was just updated the other day.

Have you tried using firefox? I run a news clipping service and have to check hundreds of sites every day and I have never had a popup since using that.

Also, try spyware blaster.

And get rid of your temp. files and your cookies.

Post another log and I'll look at it. Use the newest version. :tazz:
  • 0

#24
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Coachwife6!

Below is the latest HJT log, as you requested. You'll see that right now I am also running Lavasoft's Ad-Watch program. (I bit the bullet and paid for their full Ad-Aware SE Pro version with Ad-Watch.) Ad-Watch does block these problem popups ... BUT first they show up and then Ad-Watch kills them a few seconds later. And Ad-Watch really slows down my whole PC, especially when opening web sites. But I'm keeping it on for a while because it logs the (blocked) popup events, so now I can finally at least see when the popups actually showed up on the desktop. Also, the Ad-Watch log shows some more info, that I don't understand. It includes a "Handle". Does that help us in any way to figure out what process may be starting them? I've logged two of these popups now, and they both have the same "Handle". Here's a sample from that Ad-Watch log:

12/18/2004 5:21:48 PM> Popup blocked (--=: spyware removal :=-- - Microsoft Internet Explorer)
12/18/2004 5:21:48 PM> 12/18/2004 5:21:48 PM: Popup blocked "--=: spyware removal :=-- - Microsoft Internet Explorer"
12/18/2004 5:21:48 PM> Browser event
12/18/2004 5:21:48 PM> Parentprocess:
12/18/2004 5:21:48 PM> "--=: spyware removal :=-- - Microsoft Internet Explorer"
12/18/2004 5:21:48 PM> Handle:2496135168
12/18/2004 5:21:48 PM> Classname:IEFrame
12/18/2004 5:21:48 PM>

Also, since you really understand this stuff ... can I ask you two questions?

1) You say get rid of all my cookies. Is there any downside to that? Will I lose any functionality if I do that? Can a cookie really cause popups?

2) I found on the internet some sites talking about "timed popups". Is it possible that these popups were initiated by some web site I visited and closed, but set to popup at a later time? i.e. No bad stuff has infected my PC, but they just show up a certain time after I visited the site that planted them?

Thanks again for your help! Here's the HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 4:21:55 PM, on 12/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Dell\Solution Center\service.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\Program Files\Navnt\NAVAPW32.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\bin\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\WINNT\System32\svchost.exe
c:\Program Files\PestPatrol\ppmemcheck.exe
c:\Program Files\PestPatrol\ppcontrol.exe
C:\Program Files\PestPatrol\cookiepatrol.exe
C:\Downloads\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
  • 0

#25
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
read this concerning cookies and spyware.

http://www.resnet.wv...re/spyware.html

I have to register on dozens and dozens of sites and they save cookies. Every so often, I clean them out, and I just have to re-register. No big deal.

I am on the computer all day long and I have not received one pop-up in more than six months ever since I started using firefox. Give it a try.

You can run hijack this and put a check next to these.

O4 - HKLM\..\Run: [QuickTime Task] \"C:\Program Files\QuickTime\qttask.exe\" -atboottime
(Description: Apple's QuickTime loader. Completely unneccessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources. )

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources. )

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :spoton
  • 0

Advertisements


#26
ncjohnboy

ncjohnboy

    New Member

  • Member
  • Pip
  • 8 posts
Jeff,

I had the same problem on my computer and, like you, I removed all detectable spyware and analyzed several hijackthis logs without success. But I think I got rid of it. I determined that the popus were associated with the IP address 69.50.160.100, because I saw it in my Internet Explorer history repeatedly and found a recurring cookie containing the address, which would reappear after deletion.

So I cleared my History and deleted the cookie again. Then I ran REGEDIT and did a search of my registry for 69.50.160.100 and found two registry values where it was set up as an IE homepage. I deleted each registry value and rebooted.

So far, the popus haven't come back. Your mileage may vary. Be very careful when editing your registry. I suggest you back it up first.

Good luck. Hope this helps.

John
  • 0

#27
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Thanks ncjohnboy!

It's great to hear that there are others working on this. I am not alone.

I too discovered the killer IP address 69.50.160.100. And I too found those "FirstHomePage" registry entries, and deleted them. (I exported a backup of the registry first. You're right ... you have to be very careful.)

However ... The popups keep coming back. :tazz: They seem to come back at intervals of 1 hour to 19 hours. If I don't reboot in between, then it always seems to be exactly hour intervals (e.g. 4:07 am, 1:07 pm, 11:07 pm, etc.) I can see the time in the IE history entry, under Properties.

I've been using PestPatrol, Ad-Aware, SpyBot S&D, ScanSpyware, and Spyware Blaster. But none of them find the problem. It's driving me crazy. Please keep me informed of your progress, and I will do the same.

If you want to email me directly about this, my address is [email protected]

Thanks!

Jeff Rubenstein
  • 0

#28
Katfeesh

Katfeesh

    New Member

  • Member
  • Pip
  • 8 posts
Been dealing with this problem as well...It seems like we've taken all known precautions and curative measure yet this popup still comes up //69.50.160.100/oneclick/popup2.php.

...every hour. ;)

I posted the problem in this thread: http://www.geekstogo...?showtopic=6366

With any luck one of the geeks here can help us solve this! :tazz:
  • 0

#29
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
http://downloads.sub.../DllCompare.exe

Dllcmpare is a scanner to help detect hidden or non-accessible files in Windows, like the CWS super-hidden dll.
Apparently 32bit programs will not see these types of files, so Dllcompare is based on the archaic "locate.com" , an old 16bit Dos app which lists files in directories.

Start Program and Click the Run Locate.com and wait a few seconds til the scan says complete.(default settings usually are sufficient)

Click the Compare button to start the sorting process.

Files in the upper portion have been verified to "exist" as where Files in the bottom section have some form of problem being accessed.
After that if you are left with files that are not found, click the Make a Log of what was found button, and post that log.

Regards,

Pieter
  • 0

#30
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Thanks for staying with this Pieter!

OK ... I did all that with Dllcompare. (We are definitely getting into areas above my pay grade now.) :tazz:

It did find two files that I guess (hope) are suspicious! Here's the log. Please let me know if this is helpful, and what you suggest as the next step.

Jeff


* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\msvcirt.dll Wed Jul 26 2000 7:00:00a A.S.. 77,878 76.05 K
C:\WINNT\SYSTEM32\msvcrt.dll Thu Jun 19 2003 3:05:04p A.S.. 286,773 280.05 K
________________________________________________

1,248 items found: 1,248 files (2 H/S), 0 directories.
Total of file sizes: 229,904,034 bytes 219.25 M

Administrator Account = True

--------------------End log---------------------
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP