Jump to content


Photo

69.20.62.53/yyy3.html popups!


  • Please log in to reply
3 replies to this topic

#1 arayh

arayh

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 June 2004 - 01:04 PM

okay, i'm aware a number of people have this problem, but i found no clear and concise cure for this.

symptoms: even without ever opening internet explorer, windows popup every so often to random websites including: 69.20.62.53/yyy#.html where # is a digit, http://65.61.157.153...urbo/Adm/ad.htm, http://download.popu...creensavers.com, and several others.

other symptoms: i've noticed that some of the popup ads that come up cause more manipulations on your computer, including: hidemix toolbar for ie, skins for ie, shortcuts on the desktop to suspicious websites, etc..

what i've done so far: well, i've experienced many popup ads before, and i've found that most of them are very similar. i looked through all the places where adware usually installs themselves (on xp): the system32 folder, windows folder, windows/temp folder, program files folder, program files/common files folder, and other temporary folders. so i sorted the files by date modified and deleted all recently modified dll and exe files.. but there were still something i couldn't delete and i can't even end task from the task manager.. they were a couple of exe files that run at startup, i tried removing them from the registry, but the active programs would re-register themselves into startup everytime i remove it.. so i had to delete the exe files in safemode.. and i also fixed the registry for the ie search pages and stuff.

what's left: okay, so now i've only gotten rid of the smaller problems, but i still have one left. i'm still getting popup ads from the above named sites. i can't find any suspicious files or modified files anywhere on my computer, there is no suspicious process running that shows on my task manager, there is nothing on the registry startup.. i'm stuck. i don't know WHERE, or HOW it is doing this, but i'm getting annoyed.. the only temporary solution i have is to restrict the ad sites in ie so i don't get any more adware spawning from the popup ads. i'm here thinking that there MUST be some kind of program running in the background that i'm not aware of (since the popups appear every so often on its own), but i can't find this program anywhere.. as far as i recall, even after i stop the explorer.exe from running, the ads still pop up in ie...

just to recap: i can't find suspicious files, programs, or registry entries.. i even tried running adaware, and it finds nothing that would help me.

my plee: if ANYONE has ever solved this properly, let me know! this is the most annoying adware i've ever come to face! if you at least know WHY this is happening, i would be pleased to hear. what program on my computer can be causing all the ruckus? :hmmm:

#2 Xena

Xena

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 11 June 2004 - 02:17 PM

For starters you need to follow the steps given in the FAQ. Good luck!

#3 arayh

arayh

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 June 2004 - 06:14 PM

well, i've tried adaware already, and now i gave spybot a try, but it's still happening..

the FAQ says to post a hijackthis log, so here goes (although nothing i see seems to be the culprit):

Logfile of HijackThis v1.97.7
Scan saved at 7:12:18 PM, on 6/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Macromedia\Flash MX\Flash.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Documents and Settings\Lee\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: (no name) - {200710DD-16CB-E8BC-FD20-0136FF9668E1} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: NetAnts (HKLM)
O9 - Extra 'Tools' menuitem: &NetAnts (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtange...wave/wtinst.cab

#4 arayh

arayh

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 June 2004 - 09:21 PM

just a bit of an update, i found the following links:

XP and 2K
http://www.downloads...g/VX2Finder.exe

ME and 9x
http://www.downloads...VX2Finder9x.exe

i tried this and for some very odd reason, the program manages to find files that i just don't see. it says they are in the system32 folder, but i don't see them.. i know that i have my explorer set to show hidden files.. is this supposed to happen?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button