Stupid Popups

  1. 10-09-2004  #1
    court_Artanis
    court_Artanis is offline Newbie

    Exclamation Stupid Popups

    Ok i am annoyed, there are silly popups coming up at complete random on my pc, not so much popups, more search pages and more ironically so, pages advertising anti spyware products I cannot whatsoever get rid of these, i have tried norton, spybot S&D, Adaware, all updated, all in safe mode and normal mode, they find different dll's each time but never remove them at startup like they say they will, here is a hijack this log if it helps

    Logfile of HijackThis v1.98.2
    Scan saved at 01:18:19, on 10/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Winamp\winamp.exe
    C:\DOCUME~1\Courtney\LOCALS~1\Temp\Rar$EX01.250\Hi jackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
    O18 - Filter: text/plain - {DE503147-D543-4BFC-80E5-EAE00A1EB38B} - (no file)

  3. 10-09-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Remove WinTools first:

    How to remove Wintools infections.
    1. Disable System restore as per the instructions here.
    2. Reboot into safe mode - How do I boot into "Safe" mode?
    3. Click on "Start" => "Control Panel" => "Administrative Tools" => "Services".
    4. Look for a service called "Wintools for IE Service" => Double-click it to open, then click on the Stop button and change the "Startup type" to Disabled. Do not worry if the service is not listed.
    5. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "WtoolsA.exe", "WToolsS.exe" and "WSup.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
    6. Go into "Add/Remove Programs" in the "Control Panel" and look for any Wintools entry. Uninstall it.
    7. Open a command prompt by clicking on "Start" => "Run" and type in "cmd" and click on "OK". At the prompt, type regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll" (Quotation marks must be typed in on the preceeding command) then <ENTER>.
    8. Type exit to close the command prompt window.
    9. Delete the following directories:
      • C:\Program Files\Common Files\WinTools
      • C:\Program Files\Toolbar
      • C:\WINDOWS\System32\netdc.exe
    10. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
      • F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
        O1 - Hosts: 69.20.16.183 auto.search.msn.com
        O1 - Hosts: 69.20.16.183 search.netscape.com
        O1 - Hosts: 69.20.16.183 ieautosearch
        O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
        O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
        O18 - Filter: text/plain - {DE503147-D543-4BFC-80E5-EAE00A1EB38B} - (no file)
    11. Reenable System restore as per the instructions here.
    12. Reboot and sign in as per normal and post a new HijackThis log for further review.
+ Reply to Thread
« Prosearch Problem | Help with remove of realupd.exe and msjb.dll, please? »