pop ups self executing IE

Randy · Post by **Randy** » Tue Jan 06, 2004 1:24 am

something is running in the background that launches ie to some advertizing popup... Its driving me nuts i have tried a few different things, but nuthing seems to stop em.. looks like i am going to fdisk....

The problem is this> when i am playing a game i get booted bacK to desktop bcz of some pop up. This pop up is not your normal garden variety pop up for the main reason > it executes even when internet explorer is not open.

The only way i can stop them is by disallowing IE net access via firewall before i go to play my games.

spy bot adaware norton all come back saying "she's all clear captain".. how can she be all clear when she stinks so bad?

SCoTTY!!

TonyT · Post by **TonyT** » Tue Jan 06, 2004 8:59 am

post all applicatuions and processes shown in task manager:

Then use regedit to show what is here:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Norm · Post by **Norm** » Tue Jan 06, 2004 9:20 am

Probably the messenger service that has been posted a million times.

WAKE UP!!

Post by **YeOldeStonecat** » Tue Jan 06, 2004 9:22 am

Originally posted by Norm
Probably the messenger service that has been posted a million times.

WAKE UP!!

I haven't seen messenger service launch IE stuff.

richardc · Post by **richardc** » Tue Jan 06, 2004 9:23 am

Another way of doing what Tony T suggests is to use Hijack This
and post the results. You can find this free program here:

http://mjc1.com/mirror/hjt/

Norm · Post by **Norm** » Tue Jan 06, 2004 9:56 am

Originally posted by YeOldeStonecat
I haven't seen messenger service launch IE stuff.

Neither have I.

stevejrc · Post by **stevejrc** » Tue Jan 06, 2004 12:54 pm

Could it be RapidBlaster spyware? just a guess..............

General Info: RapidBlaster runs as a task at Windows startup. It downloads advertising from the Internet and displays it periodically.

this scans for it, also download spyware blaster to prevent it:

http://www.wilderssecurity.net/speciali ... aster.html

I should have thought that adaware would have found this anyway?, but worth a try scanning with this tool

Randy · Post by **Randy** » Wed Jan 07, 2004 1:11 am

I used that hijack this program and this is the log

* note the line with the ip address I made a space so u can see it below.. that maybe the SOB!!!

C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Randall\Desktop\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.speedguide.net/forumdispl ... forumid=41
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Search.vbs
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... /swdir.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe ... .0.0.5.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {407F5185-3B2E-4196-982B-1E258C46F8FD} - ftp://ftp.ea.com/pub/easports/patches/n ... us/nhl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) -

>>>>>>>>>http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

http://v4.windowsupdate.microsoft.com/C ... 5835416667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

well? ....

Joe · Post by **Joe** » Wed Jan 07, 2004 1:44 am

download and run this..

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

it will get rid of any IE thiefs....

Also BE CAREful what you delete mainly look for odditties such as wierd web address's and the like under certain area as 'default search etc...

You may also want to visit this site for more helpful apps...

http://www.spywareinfo.com/~merijn/downloads.html

Joe · Post by **Joe** » Wed Jan 07, 2004 1:51 am

oooppps didnt see your post..

For me i would just check everything except maybe your start page and FIX them... anything legite should auto edit the reg and put it back in.... some apps may need to be run and set to run on startup...

thats just me...

i have 3 things listed in my Hijack this report if that tells you anything.. all needed

Randy · Post by **Randy** » Wed Jan 07, 2004 9:14 pm

screw it!! fdisk tomarrow

Norm · Post by **Norm** » Wed Jan 07, 2004 9:24 pm

You could try getting the url of the popup and search your registry for it, and delete it?

fdisk is a bit rough for a member with over 5000 posts.

Too much talking, and not enough listening

Randy · Post by **Randy** » Wed Jan 07, 2004 10:31 pm

Originally posted by Norm
You could try getting the url of the popup and search your registry for it, and delete it?

fdisk is a bit rough for a member with over 5000 posts.

Too much talking, and not enough listening

yeah i know .. I listen though i spend too much time in general.

I dont help out as much as i used too. i was thinking about you today Norm and about pcbuilder program u talked about.

I need to learn more about registry tweaks, ghosting/mirror images, and DOS<< man i suck at DOS..
when i i type ipconfig in run it wont run .. black screen comes up then disapears real qwick. WTH!

system decided to reboot itself last night and i am thinking intruder?

how do i search registry for url?

richardc · Post by **richardc** » Thu Jan 08, 2004 3:46 am

Just open Regedit
then click on EDIT/FIND
and type in part of the URL
I use F3 to find the next instance if any.

The Dude · Post by **The Dude** » Thu Jan 08, 2004 9:30 am

Open a command window , accessories, command prompt, and then run ipconfig from the command line. It will stay open so you can see the results.

The Dude · Post by **The Dude** » Thu Jan 08, 2004 9:32 am

Winguides com is a good site for registry info and tweaks.

Randy · Post by **Randy** » Thu Jan 08, 2004 3:04 pm

Originally posted by richardc
Just open Regedit
then click on EDIT/FIND
and type in part of the URL
I use F3 to find the next instance if any.

when i do that it just says" finished searching registry" and does not say results? here is the addy pf the pop ups http://ads1.revenue.net/load/205806/ind ... DUCT_ID=1&

can i deny that ip some how?

richardc · Post by **richardc** » Thu Jan 08, 2004 4:09 pm

Personally I use SPybot Search and Destroy, Ad Aware and
Hijack This as well as Shredder on almost a daily basis.
That they usually remove everything - however, in my hosts
file I do have many many entries like the following:

127.0.0.1 ads06.focalink.com
127.0.0.1 ads07.focalink.com
127.0.0.1 ads08.focalink.com
127.0.0.1 ads09.focalink.com
127.0.0.1 ads1.activeagent.at
127.0.0.1 ads1.ad-flow.com
127.0.0.1 ads1.speedbit.com
127.0.0.1 ads10.focalink.com
127.0.0.1 ads11.focalink.com
127.0.0.1 ads12.focalink.com
127.0.0.1 ads13.focalink.com
127.0.0.1 ads14.focalink.com
127.0.0.1 ads15.focalink.com
127.0.0.1 ads16.focalink.com
127.0.0.1 ads17.focalink.com
127.0.0.1 ads18.focalink.com
127.0.0.1 ads19.focalink.com
127.0.0.1 ads2.speedbit.com
127.0.0.1 ads2.zdnet.com

You could try adding
127.0.0.1 ads1.revenue.net to yours

open the Hosts file with notepad.exe and edit it.
let us know if it works

Randy · Post by **Randy** » Thu Jan 08, 2004 6:51 pm

where do i find the hosts file? path?

richardc · Post by **richardc** » Thu Jan 08, 2004 8:16 pm

On my system
C:\WINDOWS\system32\drivers\etc
n.b. there is no extension
could be hidden - not sure

Jameser · Post by **Jameser** » Thu Jan 08, 2004 8:20 pm

Randy that sounds like something I ran into 2 weeks ago.

I used Hijack this to correct it.

But at the time, I really wasnt sure what was happening when It started. Scan for a virus (nothing), Adware, and sybot nothing came up. Rebooted, and back into to windows everything was fine. Then I Launched IE, problem came right back.

Did a search and stumbled across this site http://www.computercops.biz. Post your hijack this log on their forum someone should reply back. I didn't even have to register

richardc · Post by **richardc** » Thu Jan 08, 2004 8:31 pm

@Randy - if you are going to post the log - try to reduce the number of apps/things you have running in the background.

mnosteele52 · Post by **mnosteele52** » Fri Jan 09, 2004 10:49 pm

It doesn't look like you have fixed the problem yet randy, have you? Do exactly what I wrote HERE. After doing so if it's not fixed then post a new HijackThis log so we can see what else may be going on.

Also I would HIGHLY recommend you only use 1 firewall, Sygate is MUCH better than ZA. If you have uninstalled ZA then you still have some of it's junk left over and you need to go to ZA's site for proper removal instructions. Also I would also recommend uninstalling Norton AV and installing AVG 6.0 FREE and doing a full system scan.

stevebakh · Post by **stevebakh** » Sat Jan 10, 2004 1:51 am

Originally posted by Randy
I need to learn more about registry tweaks, ghosting/mirror images, and DOS<< man i suck at DOS..
when i i type ipconfig in run it wont run .. black screen comes up then disapears real qwick. WTH!

ha ha ha...

In run simply type "cmd" in WinXP / 2000 / NT and you will have a command prompt terminal which you can then enter ipconfig into

A lot of the original DOS commands still exist in NT based OSs although it's not actually DOS anymore

The Dude · Post by **The Dude** » Sat Jan 10, 2004 10:46 am

Originally posted by stevebakh
ha ha ha...

In run simply type "cmd" in WinXP / 2000 / NT and you will have a command prompt terminal which you can then enter ipconfig into

A lot of the original DOS commands still exist in NT based OSs although it's not actually DOS anymore

Oh sure do it the easy way.

Forgot about that little gem, sure beats going through all the menu's to find the "command prompt" icon.

Once you open the window maximize it and type "help". You will get a list of commands and a brief description.

Randy · Post by **Randy** » Sun Jan 11, 2004 7:04 pm

well like i said my command window was disapearing.

the fact is i was getting some real bad problems i found alot of damaged files. My computer would not even boot ( was getting 3 beeps ). replaced vid card and was able to boot.

had a ton pf problems and fdisk was the solution.

when i said i dont know much about dos i meant commands. I also looked into ghosting and mirror imaging.

I was unable to understand how a whole xp system installed could be copied/ghosted onto a single 700 mbdisk... IT CANT

I have Installed my games and bare essentials and to ghost it would take about 10 cds, which inturn would not be worth burning reinstall would be just as fast.

stevebakh · Post by **stevebakh** » Mon Jan 12, 2004 12:21 pm

Originally Posted by Randy
when i i type ipconfig in run it wont run ..

Exactly... that's because it runs the command and then closes the window as soon as it's done. To get around this you need to open up the cmd window first, so that it isn't only running for that one command. Do this by typing cmd into run, not IPCONFIG and then once the command prompt screen is up, then you can type ipconfig and it should work fine without closing the window.

Regards