Pop-Ups are Killing Me!!

Computing.Net > Forums > Security and Virus > Pop-Ups are Killing Me!!

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Pop-Ups are Killing Me!!

Name: Phat_Cat
Date: November 29, 2003 at 17:31:19 Pacific
OS: Windows XP
CPU/Ram: 266 Mhz PII w/ 256 RAM

Comment:

I've been getting pop ups one after the other even when I'm offline. About 100 IE windows pop up all having a DNS error and an IP of 69.28.210.175.
Looking at my Task Manager, I get random .exe files loading and (I'm guessing) opening up an IE window and calling the ad server, which redirects to whatever ad is displayed.
It's really pissing me off, so could anyone help me?
Here's my "HijackThis" log:
Logfile of HijackThis v1.97.7
Scan saved at 7:50:16 PM, on 11/29/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\mwsvm.exe
c:\Program Files\Miramar\PC MACLAN\ATSPOOL.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\CallWave\IAM.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\ymsgr_tray.exe
C:\WINDOWS\System32\BRMFRSMG.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\IPU.exe
C:\PROGRA~1\NETWOR~1\v11\NE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\Nathan McEleney\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=AA254671-188F-4E08-9B4A-55C603DA9410&version_id=18
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Nathan McEleney\Application Data\Mozilla\Profiles\default\126qalhj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nathan McEleney\Application Data\Mozilla\Profiles\default\126qalhj.slt\prefs.js)
O2 - BHO: (no name) - {024DE5EB-3649-445E-8D57-C09A9A33D479} - C:\WINDOWS\System32\PHelper.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Network Essentials\v11\NE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer POPUP KILLER\fs20.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [11864870.exe] C:\WINDOWS\System32\11864870.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\System32\zphp.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: SmartWhois (HKLM)
O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.commerce-cgi.com
O15 - Trusted Zone: http://www.hotmail.msn.com
O15 - Trusted Zone: http://login.passport.com
O15 - Trusted Zone: http://login.passport.net
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8108/turbo.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_76/QDow.cab
O16 - DPF: {532217E3-860C-4EEE-8BBD-3F342DCD9AE9} (InPop.InControl) - http://adlogix.com/pop/InPop.CAB
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/swimsuitnetwork.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{26E45378-5568-41CB-98FE-E128833BA576}: NameServer = 64.136.20.121 64.136.20.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{26E45378-5568-41CB-98FE-E128833BA576}: NameServer = 64.136.20.121 64.136.20.133

Sponsored Link

Ads by Google

Response Number 1

Name: Rick
Date: November 29, 2003 at 17:46:19 Pacific

Reply:

I had a similiar problem and I was given this advice and I have not had another pop-up.
you need
1) AdAware
2) Spybot Search and Destroy
3) Spyware Blaster
AND
4) CoolWebShredder (CWShredder)
download, update & run them one at a time
Let me know how it works out.

Response Number 2

Name: Nick R (by Nick Ritchie)
Date: November 30, 2003 at 06:31:44 Pacific

Reply:

I downloaded and installed the free google toolbar ,which has a built in pop up blocker ! B/4 I installed the goole toolbar ,I was getting alot of pop ups , now I dont have any pop ups ! On the google search home page it will have a link to the free google toolbar .
Good Luck Nick

Response Number 3

Name: gmoney
Date: November 30, 2003 at 22:06:55 Pacific

Reply:

Looks like that 69.28.210.175 IP address is
bad news:
See these links:
http://incidents.org/ipinfo.php?ip=069.028.210.175
http://incidents.org/warning_explanation.php?fip=69.28.210.175&Submit=Submit

Response Number 4

Name: Nathan
Date: December 1, 2003 at 20:42:12 Pacific

Reply:

Okay people...
I've tried both of the solutions posted here, and NOTHING is stopping these popups.
In the time that it took me to write that sentence (not even 30 seconds), I've had to close 4 windows.
Somebody PLEASE take a close look at that "HijackThis" log posted above and see if you can help.
BTW, thanx for all the help I got so far. The thoughts were meant well.

Response Number 5

Name: gmoney
Date: December 1, 2003 at 21:53:25 Pacific

Reply:

I ran a search at sarc.com for some of the executables I didn't recognize in your HijackThis log and got a hit on "mwsvm.exe" take a look here at these removal instructions
Or if you're getting bombarded by too many popups to read through the instructions, maybe you can end the mwsvm.exe and slmss.exe processes which will hopefully stop the popups. Goodluck. (Shameless Mozilla plug: Go to www.mozilla.org and install this web browser! It's free and has a built-in popup blocker and spam filter - also it doesn't run ActiveX and VBScript so a lot of the spyware coming from web sites can't install itself or run!)

hotmail profiles mozilla vbscript quicktime pop up	repeating pop up bat code 0% Shockwave ActiveX Control swdir.dll exec variant.c
See More

Response Number 6

Name: sankar
Date: December 1, 2003 at 22:05:35 Pacific

Reply:

Hei,I got the same problem. I am googling for all stuff on my taskmanager that gets loaded at boot. I came here googling for IPU.exe. Do u know what it is?. Though in systems directory, it does not come up that often in google(which will happen with more common software loaded at startup and is microsoft) and I am unable to figure out how that was installed and it has a install date of 11/3/03. Not sure that file has got something to do, but if u stop it the popups seem to go away(though it might be part of something windows need for that function). Though there is something else also, since when i closed it in taskmanager is restarted after a few seconds. See if you have a file called update.txt in c:\windows\system32 that has the same time as this file. Lemme know

Response Number 7

Name: Nelli
Date: December 2, 2003 at 09:40:39 Pacific

Reply:

You have a virus- I have the same one and cannot for the life of me get rid of it. I believe the virus is called the stcloader. Anyone have any idea of how to get rid of it and if its annoying or causing any damage??? Please help!

Response Number 8

Name: gmoney
Date: December 2, 2003 at 22:23:51 Pacific

Reply:

I didn't find anything about IPU.exe either but I did find something about "stcloader"... Just do a search for it at securityresponse.symantec.com and you'll find they call it "Adware.SecondThought". You need to edit the registry to keep the program from starting or possibly one of the spyware removal tools can do it for you?

Response Number 9

Name: dave lashley
Date: December 9, 2003 at 20:59:09 Pacific

Reply:

Run Microsoft updates and it will cure the problem. Takes about 10 minutes

Sponsored Link

Ads by Google

missing taskbar

Stupid Adwares

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Pop-Ups are Killing Me!!

Pop up / virus

Summary

www.computing.net/answers/security/pop-up-virus/21157.html

klone/winantivirus pop ups

Summary

www.computing.net/answers/security/klonewinantivirus-pop-ups/19747.html

Annoying Pop-up!

Summary

www.computing.net/answers/security/annoying-popup/12626.html

From the Geek Dictionary
hibernate - Hibernate is a mode that enables you to shut your computer off completely, ...

Ask a Question!

Weekly Poll
Do you believe in Video Game Addiction?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
I really hate coumputers right now.

need to reinstall home and student word

Ram problem

i cant play games online

XP Home activation loop

All Awaiting Reply

Tom's News
Queues in Manhattan Form as DROID Launches

Report: $99 iPhone 3GS in Time For the Holidays

Game Boy, Ball Gets Into Toy Hall of Fame

iPhone Developer Stealing Private Info

Nintendo: There is No Wii HD

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE