Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I’ve been having problems with pop-up windows for all different kinds of adverts. The pop ups are not related to any one site b/c they pop up even when accessing sites that don't us them. Eventually they max out the memory and crash the machine. I’ve run AdAware, CWShredder and SpyBot Search & Destroy but all to no avail.
Suggestions?
Sorry, I forgot to mention that. Yes I have, I have TrendMicro installed and it runs daily and is running the current patterns.
0 
Well, if everything is clean, why don't you look into installing the Google Toolbar. I believe its built-in pop-up blocker is darn near the best to be found. Just go to Google.com and I believe the link to all of its tools is located near the bottom of the Google home page.
0
SpyBot Search & Destroy has a HOSTS file that you install into the Windows directory. It acts like an address book of banned web addresses. I have it and have not had one single pop-up for months.
I also now have ZoneAlarm pro but I believe the Hosts file was installed ages before ZoneAlarm.
0
Be a bit careful with the Spybot Hosts file. It supposedly has quite a few outdated entries in it that have not been corrected and can really screw with surfing.
In fact, I've found that a Host file in general causes more issues than it solves. This is my experience though, you may not have the same results. I have found the best alternative to a Hosts file is to have a program called IESpyad.
This will add the same types of "bad domains" if you will to your Restricted Sites zone, which is a bit easier to edit than a Hosts file and does not cause the same issues. Just an opinion.
0
Have you cleaned out your Temp Internet Files Folder? There may be something in there bringing the rubbish.
If you are still getting pop-ups, there is a free program that lists the running processes etc. 'HiJackThis' this may reveal something. Don't post your log on here unless you can't sort it out yourself.
Some of the logs get deleted.Lastly, have you looked to see what's loaded at start-up. There may be a rogue file that will give us a clue....
START - RUN - MSCONFIG - STARTUP...
0
I would go to www.grc.com and download shoot the messenger and install, it could help
I use Mozilla Firebird I have not seen a popup in a very long time.
0
Thanks everyone.
I've checked Msconfig and everything is fine except iefeatures.exe and internetfeatures.exe are in there. I can uncheck them but they eventually return.
As for HijackThis, I've run it and am trying to sort out exactly what is in there and what shouldn't be.
It definatlely appears there's some type of spyware/trojan lurking in there.
0
It sounds like it could be Spy Wiper, or at least that's what spy wiper causes. Or Client Man. You can post your log and we'll find the naties causing your problems.
0
Thanks. Here is my log:
7
Scan saved at 3:11:14 PM, on 1/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\PCCWIN97.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\OFCDOG.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.exe
C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\APROPOSCLIENT\APROPOS.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\PROGRAM FILES\QUICK VIEW PLUS\PROGRAM\QVP32.exe
C:\TEMP\HIJACKTHIS.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://KWLLPDC1:8080
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {D319662B-D5BF-4538-ADF3-8D3E36362608} - C:\WINDOWS\ALL USERS\APPLICATION DATA\X0FF\X0FF.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\APROPOSCLIENT\APROPOSPLUGIN.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.exe /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.exe
O4 - HKLM\..\Run: [OfficeScan95] "C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe" -HideWindow
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [OfficeScan95] "C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccwin97.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Image Retriever.lnk = C:\Program Files\ScanSoft\PaperPort\xdcla.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Quicken 2003\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\Quicken 2003\QWDLLS.exe
O4 - Startup: Billminder.lnk = C:\Quicken 2003\billmind.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://kwllpdc1/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://kwllpdc1/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://kwllpdc1/officescan/clientinstall/setup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37874.6729398148
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} (accel Class) - http://www.riversoftware.net/x0ff.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = kwllp
0
Hi Tomes,
First, move Hijack This to a permanent directory like c:\program files\hijack this\hijackthis.exe. This way you can undo any changes if something goes wrong.Put a check mark next to these, click "fix checked" and reboot.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {D319662B-D5BF-4538-ADF3-8D3E36362608} - C:\WINDOWS\ALL USERS\APPLICATION DATA\X0FF\X0FF.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\APROPOSCLIENT\APROPOSPLUGIN.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
Like VirtualBouncer, malware from Spyware Labs. It is distributed by the same bundling and drive-by download techniques as the malware it claims to remove/prevent, so definitely qualifies as unsolicited commercial software in itself. It also has an update feature that can download and execute arbitrary codeO16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} (accel Class) - http://www.riversoftware.net/x0ff.cab
Reboot and delete APROPOSCLIENT folder, and this file> AdDestroyer.exe
Good luck
Post a new log, to see if we got it all.
abnormal
0
iefeatures.exe brings pop-up's...
http://216.239.59.104/search?q=cache:cxm6liZgvOkJ:www.pestpatrol.com/PestInfo/p/popmonster.asp+iefeatures.exe+&hl=en&ie=UTF-8
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
