Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I've been getting pop ups one after the other even when I'm offline. About 100 IE windows pop up all having a DNS error and an IP of 69.28.210.175.
Looking at my Task Manager, I get random .exe files loading and (I'm guessing) opening up an IE window and calling the ad server, which redirects to whatever ad is displayed.
It's really pissing me off, so could anyone help me?
Here's my "HijackThis" log:Logfile of HijackThis v1.97.7
Scan saved at 7:50:16 PM, on 11/29/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\mwsvm.exe
c:\Program Files\Miramar\PC MACLAN\ATSPOOL.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\CallWave\IAM.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\ymsgr_tray.exe
C:\WINDOWS\System32\BRMFRSMG.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\IPU.exe
C:\PROGRA~1\NETWOR~1\v11\NE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\Nathan McEleney\Desktop\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=AA254671-188F-4E08-9B4A-55C603DA9410&version_id=18
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Nathan McEleney\Application Data\Mozilla\Profiles\default\126qalhj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nathan McEleney\Application Data\Mozilla\Profiles\default\126qalhj.slt\prefs.js)
O2 - BHO: (no name) - {024DE5EB-3649-445E-8D57-C09A9A33D479} - C:\WINDOWS\System32\PHelper.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Network Essentials\v11\NE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer POPUP KILLER\fs20.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [11864870.exe] C:\WINDOWS\System32\11864870.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\System32\zphp.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: SmartWhois (HKLM)
O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.commerce-cgi.com
O15 - Trusted Zone: http://www.hotmail.msn.com
O15 - Trusted Zone: http://login.passport.com
O15 - Trusted Zone: http://login.passport.net
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/turbo.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_76/QDow.cab
O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} (InPop.InControl) - http://adlogix.com/pop/InPop.CAB
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/swimsuitnetwork.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{26E45378-5568-41CB-98FE-E128833BA576}: NameServer = 64.136.20.121 64.136.20.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{26E45378-5568-41CB-98FE-E128833BA576}: NameServer = 64.136.20.121 64.136.20.133
I had a similiar problem and I was given this advice and I have not had another pop-up.
you need
1) AdAware
2) Spybot Search and Destroy
3) Spyware BlasterAND
4) CoolWebShredder (CWShredder)
download, update & run them one at a time
Let me know how it works out.
0 
I downloaded and installed the free google toolbar ,which has a built in pop up blocker ! B/4 I installed the goole toolbar ,I was getting alot of pop ups , now I dont have any pop ups ! On the google search home page it will have a link to the free google toolbar .
Good Luck Nick
0
Looks like that 69.28.210.175 IP address is
bad news:
See these links:
http://incidents.org/ipinfo.php?ip=069.028.210.175
http://incidents.org/warning_explanation.php?fip=69.28.210.175&Submit=Submit
0
Okay people...
I've tried both of the solutions posted here, and NOTHING is stopping these popups.
In the time that it took me to write that sentence (not even 30 seconds), I've had to close 4 windows.
Somebody PLEASE take a close look at that "HijackThis" log posted above and see if you can help.
BTW, thanx for all the help I got so far. The thoughts were meant well.
0
I ran a search at sarc.com for some of the executables I didn't recognize in your HijackThis log and got a hit on "mwsvm.exe" take a look here at these removal instructions
Or if you're getting bombarded by too many popups to read through the instructions, maybe you can end the mwsvm.exe and slmss.exe processes which will hopefully stop the popups. Goodluck. (Shameless Mozilla plug: Go to www.mozilla.org and install this web browser! It's free and has a built-in popup blocker and spam filter - also it doesn't run ActiveX and VBScript so a lot of the spyware coming from web sites can't install itself or run!)
0
Hei,I got the same problem. I am googling for all stuff on my taskmanager that gets loaded at boot. I came here googling for IPU.exe. Do u know what it is?. Though in systems directory, it does not come up that often in google(which will happen with more common software loaded at startup and is microsoft) and I am unable to figure out how that was installed and it has a install date of 11/3/03. Not sure that file has got something to do, but if u stop it the popups seem to go away(though it might be part of something windows need for that function). Though there is something else also, since when i closed it in taskmanager is restarted after a few seconds. See if you have a file called update.txt in c:\windows\system32 that has the same time as this file. Lemme know
0
You have a virus- I have the same one and cannot for the life of me get rid of it. I believe the virus is called the stcloader. Anyone have any idea of how to get rid of it and if its annoying or causing any damage??? Please help!
0
I didn't find anything about IPU.exe either but I did find something about "stcloader"... Just do a search for it at securityresponse.symantec.com and you'll find they call it "Adware.SecondThought". You need to edit the registry to keep the program from starting or possibly one of the spyware removal tools can do it for you?
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
