Tons of popups.

[btcomm]

I have this computer that has windows XP on it, I have installed ad aware and spybot on it, run both of those. I have found things with both. I have removed things with both. I installed AVG anti virus on the computer. Right now spybot and ad aware don't find anything, I ran the antivirus, it found 3 things that I got rid of. Everytime this computer is connected to the internet I'm still getting popup ads on it, ads that will open up without doing anything, it's not like they are a popup that come from the site I'm going to. I have looked at all the exe's that are running, I've looked them all up on the internet and they shouldn't be causing these things. Has anyone run into this before? What could possibly be causing all the popups? Some of the adds seem to not be in a web browser that pop up in the middle of the screen, and they have a close button built into the top of them. I've even booted into safe boot with networking and even then these things come up.

One of the ads that is poping up is from http://e.rn11.com/adbuys/a174-admed-ron anyone know what adware/spyware might be bringing this up?


Also, while booting this computer sometimes it seems to get random dll file errors, I just booted it into safe boot and I got the error.

An exception occurred while trying to run ""C:\Windows\system32\LBASBCE.dll",DllGetVersion"

I've also seen it get this same error with other DLL files.

If you look at the attached jpg you will see what the ad's look like that come up without the browser.

Also, I used firefox and even while using that, I would go to a website and then before it would finish loading it would go to an ad.

[fink]

Hi.. Have a look at this thread..

http://discussions.virtualdr.com/sho...d.php?t=167915

and do all of the things it suggests (that you haven't already done) then post the hijackthis log here and we'll move it to the hijack forum where one of our experts can have a look at it and advise further.

[btcomm]

Here is the hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 11:31:30 AM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\irp4l57q1.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

[liam858]

I'll move this to the relevant forum shortly.....quick question, did you tick the advanced options? as that log looks quite short.


Liam

[btcomm]

I'll move this to the relevant forum shortly.....quick question, did you tick the advanced options? as that log looks quite short.


Liam

What do you mean by advanced options? What options specifically should I check?

Do you mean check these?

list also minor sections (full)
list empty sections (complete)

Make everything found for fixing after scan

Or can you give me a list of everything I should have checked in hijackthis?

Here is the log with all that stuff checked.



Logfile of HijackThis v1.99.1
Scan saved at 12:43:34 PM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\SYSTEM32
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (filesize 104064 bytes, MD5 10FE3F2AAE651058DE4B949A2B7400AD)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (filesize 218736 bytes, MD5 966185FE614B44D0FC032CFD5BEAEDEF)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1694208 bytes, MD5 74E6E96C6F0E2ECA4EDBB7F7A468F259)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1694208 bytes, MD5 74E6E96C6F0E2ECA4EDBB7F7A468F259)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (filesize 225280 bytes, MD5 0CBE3E4166A08FC379EABF532B4EFE18)
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\irp4l57q1.dllC:\WINDOWS\system32\irp4l57q1.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllC:\WINDOWS\SYSTEM32\igfxsrvc.dll

[Ridgerunr]

Go get SpywareBlaster and IE-Spyads
After clearing all the crap off as stated,install these and update right away. Check for updates on a regular basis. In I.E.,go to tools>popup blocker and activate it. If it refuses to let you go to a trusted site,just hold the Ctrl key down and click the link. Or you can set it to allow the site on each visit...

[btcomm]

Go get SpywareBlaster and IE-Spyads
After clearing all the crap off as stated,install these and update right away. Check for updates on a regular basis. In I.E.,go to tools>popup blocker and activate it. If it refuses to let you go to a trusted site,just hold the Ctrl key down and click the link. Or you can set it to allow the site on each visit...

Well, I already installed spywareblaster and as far as I can tell with that, it seems to not really get rid of anything, it just takes away vulnerabilities in internet explorer, firefox etc. If there is something you can do in spywareblaster that will actively remove spyware/adware let me know, also even with spywareblaster installed ad's still pop up just like before.

I installed ie-spyads now windows still popup but when they do they display a blank white page instead of the ad.

Right now I'm stumped, I have run numerous virus scans on the computer have removed trojans/viruses, I have run spybot and ad aware after fully updating them, I have checked the running processes, I have installed spywareblaster and even booted the computer into safe boot with networking and still the ads continue to popup on websites that have no popup ads like google. When in firefox the ad's don't pop up in a new window, instead they pop in and replace whatever page you are looking at.

Moderators, either one, can you give me a list of everything I should have checked in hijackthis and then if you still feel it would be better move this thread into the hijackthis?

[Ridgerunr]

Sorry if I confused you. What I meant was to do the suggestions made by liam858 and fink. Then,if that fixes the present problems,do as I suggested to keep the crap from getting on in the first place. That's what SpywareBlaster and I.E.spyads do. They put a very large database of nasty sites into your I.E.>tools>internet options>security>restricted sites and keep the baddies from getting on in the first place. If you've enabled popup blocker and it still won't let you into sites that you know are ok, I'd be very suspicious that you still have nasties aboard. Might try the sites listed below to run a scan.

http://www.agnitum.com/products/tauscan/ (get free 30 day trial vers.)

http://housecall.trendmicro.com/ (run this one online)

http://www.xblock.com/download-freeware.php

[btcomm]

Sorry if I confused you. What I meant was to do the suggestions made by liam858 and fink. Then,if that fixes the present problems,do as I suggested to keep the crap from getting on in the first place. That's what SpywareBlaster and I.E.spyads do. They put a very large database of nasty sites into your I.E.>tools>internet options>security>restricted sites and keep the baddies from getting on in the first place. If you've enabled popup blocker and it still won't let you into sites that you know are ok, I'd be very suspicious that you still have nasties aboard. Might try the sites listed below to run a scan.

http://www.agnitum.com/products/tauscan/ (get free 30 day trial vers.)

http://housecall.trendmicro.com/ (run this one online)

http://www.xblock.com/download-freeware.php

I can try running those things I guess, I've already run anti spyware anti adware, anti viruses and removed many things, run them again and there seems to be nothing left yet I still get popups.

[liam858]

It doesn't matter, i think the standard look of the log is what you get in the newest version, it just looks shorter than usual, did you run it in Normal Mode?


Liam

[btcomm]

It doesn't matter, i think the standard look of the log is what you get in the newest version, it just looks shorter than usual, did you run it in Normal Mode?


Liam

Normal mode?

I don't think I've changed any options when I ran it but if you tell me where that option is I can check it and make sure it's in normal mode. Until I can do that looking at the hijack log I currently have listed, can anyone tell what might be causing these popups?

I opened up the hosts file in windows\system32\drivers\etc and this is what I got.

127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com
127.0.0.1 idownload.com
127.0.0.1 www.mytotalsearch.com
127.0.0.1 mytotalsearch.com
127.0.0.1 www.lop.com
127.0.0.1 lop.com
127.0.0.1 www.websearch.com
127.0.0.1 websearch.com
127.0.0.1 www.page-not-found.net
127.0.0.1 page-not-found.net
127.0.0.1 www.isearchhere.com
127.0.0.1 isearchhere.com
127.0.0.1 xads.offeroptimizer.comm
127.0.0.1 search.offeroptimizer.com
127.0.0.1 ximages.offeroptimizer.com
127.0.0.1 xlime.offeroptimizer.com
127.0.0.1 xadsj-o.offeroptimizer.com
127.0.0.1 xadsj.offeroptimizer.com
127.0.0.1 www.offeroptimizer.com
127.0.0.1 as.adwave.com
127.0.0.1 sr.adwave.com
127.0.0.1 www.adwave.com
127.0.0.1 adwave.com
127.0.0.1 adwave.com
127.0.0.1 adwave.com


Is there particular adware that adds this stuff in there? Or is it normal to have all this stuff in it? Could all this stuff in the hosts file be causing all these popups? Also if this is part of it, could having this stuff in the host file randomly open up these ads without me going to a website that has ads?

Ok an update, I deleted the hosts file. It got recreated and it was 0 kb. I then rebooted the computer. I plugged in the ethernet cable, not too long after I got an error

An exception occurred while trying to run

"C:\\WINDOWS\system32\anything.dll," D\\GETVersion"

Like I said before I've gotten this error message before.

I was watching the hosts file and as soon as I got that error the host file became 2 kb big and has all that info I posted above in it again.

I then did a search and found this.

http://www.otwa.com/community/showth...oto=nextnewest


Turns out look2me is what causes this error and all the popups.

I used the tool on this site http://www.pchell.com/support/look2me.shtml to remove look2me and now the popups are totally gone.

Finally!!!!

Why can't spybot/adware get rid of this properly? Anyway I'll let you know if I get any more popups but so far none.