Hi, I am suddenly having a problem with popups and I really can't find a solution. I am getting a pop up every 30 sec even if IE isn't running. I scanned my PC with Norton but nothing is found. I also dowloaded and executed Ad-aware and SpyBot. Both programs found some suspected files that I deleted but still the problem isn't solved. Any help would be highly appreciated since I can't even easily post the message right now having to close a pop up every minute. Thanks

have u tried google tool bar? blocks all mine on IE! failing that switch to mozilla

Download and run a scan of your system using HiJackThis. Save the results in notepad then copy and paste the results back here so we can see what's on your system. Be patient and I will look at it. CW-Shredder- HJT-ADAware, Stinger, etc

Thanks for the help. Here is my HijackThis log Logfile of HijackThis v1.97.5 Scan saved at 10:11:48, on 3/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sophos SWEEP for NT\SWNETSUP.exe C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS C:\Program Files\Sophos SWEEP for NT\SWUPDATE.exe C:\WINDOWS\Explorer.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\CTHELPER.exe C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\WINDOWS\System32\taskswitch.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe C:\WINDOWS\System32\xizdzqwn.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\RUNDLL32.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Documents and Settings\Melhior\Application Data\rrsb.exe C:\WINDOWS\System32\wcpit.exe C:\Program Files\MSI\Core Center\CoreCenter.exe C:\Program Files\Sophos SWEEP for NT\ICMON.exe C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe C:\Program Files\Microsoft Encarta\Encarta World English Dictionary 2001\QSHLFED.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Virtual Desktop\multiDesk.exe C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\DAP\DAP.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Melhior\Local Settings\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar= home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.bath.ac.uk:3128 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/ O1 - Hosts: 62.189.6.85 _sip._tls.sip5.phoneserve.com O1 - Hosts: 62.189.6.85 _sip._ssl.sip5.phoneserve.com O1 - Hosts: 62.189.6.86 _sip._tls.sip6.phoneserve.com O1 - Hosts: 62.189.6.86 _sip._ssl.sip6.phoneserve.com O1 - Hosts: 62.189.6.93 _sip._tls.sip7.phoneserve.com O1 - Hosts: 62.189.6.93 _sip._ssl.sip7.phoneserve.com O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe O4 - HKLM\..\Run: [aktisrpy] C:\WINDOWS\System32\xizdzqwn.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Natt] C:\Documents and Settings\Melhior\Application Data\rrsb.exe O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpit.exe O4 - Startup: multiDesk.lnk = C:\Program Files\Virtual Desktop\multiDesk.exe O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe O4 - Startup: Registration-PCTV.lnk = C:\Program Files\Pinnacle\Pinnacle PCTV\ERegister\RegTool.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Pinnacle Scheduler.lnk = ? O4 - Global Startup: Quick Shelf.lnk = ? O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Encarta Encyclopedia (HKLM) O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM) O9 - Extra button: Define (HKLM) O9 - Extra 'Tools' menuitem: Define (HKLM) O9 - Extra button: Run DAP (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bath.ac.uk O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bath.ac.uk O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bath.ac.uk Thanks

I see you are from the UK, I'm not that familiar with alot of these entries some I'm just going to give you some guide lines and you can check them. Create a new folder and put HJT in there and run it from there so backups can be made. Let me know how it goes. For the R0s and R1s: If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar= home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =http://www.google.com/keyword/%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =wwwcache.bath.ac.uk:3128 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/ ********************************************************** For 01s: This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file. The last item sometimes occurs on Windows 2000/XP with a Coolwebsearch infection. Always fix this item, or have CWShredder repair it automatically. CW-Shredder in case you need it. O1 - Hosts: 62.189.6.85 _sip._tls.sip5.phoneserve.com O1 - Hosts: 62.189.6.85 _sip._ssl.sip5.phoneserve.com O1 - Hosts: 62.189.6.86 _sip._tls.sip6.phoneserve.com O1 - Hosts: 62.189.6.86 _sip._ssl.sip6.phoneserve.com O1 - Hosts: 62.189.6.93 _sip._tls.sip7.phoneserve.com O1 - Hosts: 62.189.6.93 _sip._ssl.sip7.phoneserve.com **************************************************************** These two look like the problem. I can't find any info on them good or bad, which means they are most likely bad. If you know what they are OK, but I would have HJT fix them and after you reboot delete these files: (if you're not sure just rename the file to .old) O4 - HKLM\..\Run: [aktisrpy] C:\WINDOWS\System32\xizdzqwn.exe <---fix O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpit.exe <---fix C:\WINDOWS\System32\xizdzqwn.exe <----delete or rename to.old C:\WINDOWS\System32\wcpit.exe <----delete or rename to.old ****************************************************************** Do you know what these are?? O4 - HKCU\..\Run: [Natt] C:\Documents and Settings\Melhior\Application Data\rrsb.exe O4 - Startup: multiDesk.lnk = C:\Program Files\Virtual Desktop\multiDesk.exe *********************************************************************** For the 017s: If the domain is not from your ISP or company network, have HijackThis fix it. The same goes for the 'SearchList' entries. O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bath.ac.uk O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bath.ac.uk O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bath.ac.uk

In case you can't find those files, you may have to: Show Hidden Files

One last thing to do, clean up system. this will get rid of all the temp junk on your system. Clean up the system also (this is for 98 and ME but should be close for XP) Open up IE, from the drop down menu choose Tools, Internet Options, Delete Temporary Internet Files and cookies. (cookies optional) Go to Start, Run, type temp , delete all the files in that folder Do the same for recent Delete all the .tmp and .chk files you can find. To do so, click Start/Find and in the search box (field) type *.tmp and this will search for all your temporary files. Repeat for chk files by typing *.chk in the search field, make sure you are looking in 'C'. Empty recycle bin.