Popup Ads in IE6 when using Google

[Martin Leiws]

Just started getting Pop-up ads in IE6 relating to search terms when
using Google. This doesn't happen using other search engines in IE6 or
going to Google when using Netscape or Mozilla.

 

[Ted Zieglar]

Sorry, Google doesn't serve pop-ups. The adware on your computer is the
culprit.

 

[Martin Lewis]

Should have been clearer... I know this is not Google's issue, but
wondering in anyone might suggest how to track it down. Have run
Adaware and Spybot.

 

[Jan Il]

Hi Martin

Most likely you have scumware on your system causing the problem. Follow
the information here to clean your system:

Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm

If this does not resolve the problem post back here and we'll take further
steps.

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Jan Il]

Hi Martin

Although most people think so, AdAware and SpyBot alone can't/won't detect
and find everything that may be causing the problem. Additionally, if you
did not run them fully updated and in Safe Mode, with Hidden Files enabled,
then likely did not fully scan your system. There are also many types of
parasites and malware that will cause this kind of problem that neither of
these programs are able to detect, or remove in any case. Also, you did not
mention what version of Windows you are using. You might also check for odd
toolbars and other types of 3rd party or unfamiliar software in the
Add/Remove Programs to see if anything is there that you know you did not
intentionally install. If so, uninstall it. And check your firewall and
any popup blockers you may have installed to see if they are set properly.
I have already provided information that you might check out as well, and
you should post a HijackThis Log to one of the forums listed and let the
experts there evaluate the log for any hidden scumware.

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Martin Lewis]

Sorry... Still using Win 98. Forgot about running in Safe Mode. Using
Zone Alarm and D-link broadband router. No popup blocker since have not
had any issues in the past. Note that the popup ad does not appear each
time I go to Google. Seems somewhat random - not that this is
significant. I'll play around tonight with information from www.mvps.org.

Thanks for taking the time and interest in addressing this.

 

[Jan Il]

Hi Martin


Here's a bit more information you might also check out. There's been a lot
more aggressive work being done by those who produce the adware to override
the common popup blockers, and even some that will put a cookie on your hard
drive and you don't even know it. You might also try clearing your Cookie
cache and see if that helps.

Unwanted Popups
http://mvps.org/winhelp2002/unwanted.htm
Blocking Unwanted Cookies with IE 6:
http://www.mvps.org/winhelp2002/cookies.htm
IE Popup Manager
http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/popupmanager.aspx

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Martin Lewis]

my add/remove shows: "shoppingwizard", "offeroptimizer", "casprog"

booted in safemode ran adaware & spybot.

Ad-aware shows coolwebsearch (3 objects) and mru list (6 objects)


Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 7:53:49 PM, on 6/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SOL.EXE
C:\UTILITY\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://myhome.sunyocc.edu/~lewism/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.sunyocc.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.sunyocc.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.sunyocc.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://keyword.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.sunyocc.edu/~lewism
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage",
"http://www.sunyocc.edu/~lewism"); (C:\Netscape\Users\marty\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {6BFD224C-67B6-C2E3-74F7-A2ED6711C74F} -
C:\WINDOWS\SYSTEM\CRRQ32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\ZoneLabs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WINWA32.EXE] C:\WINDOWS\SYSTEM\WINWA32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
-service
O4 - HKLM\..\RunServices: [CRDE.EXE] C:\WINDOWS\SYSTEM\CRDE.EXE /s
O4 - HKLM\..\RunServices: [IEZE.EXE] C:\WINDOWS\SYSTEM\IEZE.EXE /s
O4 - HKLM\..\RunServices: [WINPO.EXE] C:\WINDOWS\WINPO.EXE /s
O4 - HKLM\..\RunServices: [IPRE.EXE] C:\WINDOWS\SYSTEM\IPRE.EXE /s
O4 - HKLM\..\RunServices: [MSQP32.EXE] C:\WINDOWS\MSQP32.EXE /s
O4 - HKLM\..\RunServices: [MSGG.EXE] C:\WINDOWS\MSGG.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Creative Detector]
C:\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Kodak\Kodak EasyShare
software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) -
http://-Web.Washer-/ie_add
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM
FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: PRDIE - {1609CE00-5651-11D7-B870-0050DA5EE774} - C:\PRIVACY
DEFENDER\PRD.EXE
O9 - Extra button: AbsoluteShield Internet Eraser -
{4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\winapps\Internet Eraser\cseraser.exe
(HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX
Control) -
http://thesims.ea.com/teleport/unleashed/LOT/MaxisUnleashedLotTeleX.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control)
- http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control)
- http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) -
http://www.trojanscan.com/trojanscan/TDECntrl.CAB

next step will be to go to one of the foums.

Hi Martin

Most likely you have scumware on your system causing the problem. Follow
the information here to clean your system:

Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm

If this does not resolve the problem post back here and we'll take further
steps.

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

--
Martin Lewis
Media Development Specialist
Onondaga Community College
Syracuse, NY
www.sunyocc.edu/~lewism
(e-mail address removed)
(e-mail address removed)

 

[Jan Il]

Hi Martin

Pleasepost your log tothe following forum to allow the experts there to
analyze it for you.
AumHa HiJackThis Forum
http://forum.aumha.org/viewforum.php?f=30

my add/remove shows: "shoppingwizard", "offeroptimizer", "casprog"

Did you uninstall them?

booted in safemode ran adaware & spybot.

Ad-aware shows coolwebsearch (3 objects) and mru list (6 objects)

Did you run the CW Shredder in Safe Mode to remove them?

Hijack this:

next step will be to go to one of the foums.

Very good! Please post the link to the forum where you post your log back
here so that we can follow the progress there.

You're doing very well! Please be aware that the folks on the forums are a
little busy, so please be patient. Be sure to tell them that I sent you,
briefly explain your problem and what you have done thus far, and follow all
preliminary instructions before posting your log.


Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Martin Lewis]

If you're still following this,I followed all steps but computer still
infected. General slowdown including Windows Explorer and pop-ups in
IE6 when going to Google.

Ad-Aware shows CoolWebSearch. Of course I can delete the entries but
they return on reboot.

Posted to forum Tues AM but no response yet.
http://forum.aumha.org/viewtopic.php?t=14069&sid=f860079d1a20363f7d72a9d2dd3811cf

 

[Ted Zieglar]

CoolWebSearch is among the most intransigent of all spyware, and extremely
difficult to remove. You're almost certainly looking at wiping your hard
disk and starting from scratch. You may as well search the web for CWS
removal tools (from reputable organizations) since you have everything to
gain and nothing to lose.

 

[Jan Il]

Hi Martin

If you're still following this,I followed all steps but computer still
infected. General slowdown including Windows Explorer and pop-ups in IE6
when going to Google.

Yes...I'm still with you here.

Ad-Aware shows CoolWebSearch. Of course I can delete the entries but they
return on reboot.

Yes, the variant(s) you have are able to continue to replicate themselves if
not properly removed. That is why it is important that you posted your HJT
log at the forum for analysis, and let the experts there advise you what you
need to do to thoroughly clean your system.

Posted to forum Tues AM but no response yet.
http://forum.aumha.org/viewtopic.php?t=14069&sid=f860079d1a20363f7d72a9d2dd3811cf

Thank you for the link. Please be patient, they're always very busy. I
popped to the post in to let them know that I sent you, and that you had
already run all the usual detection and removal tools I provided and the
problem persists. It will narrow things down for them a bit more knowing
what you have already done.

If you have any questions or further replies, please post them to your AumHa
post so that the folks there can follow along.as well. I'll be checking
back there for progress updates too.

Hang in there, we'll have you up and running right again soon.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Jan Il]

CoolWebSearch is among the most intransigent of all spyware, and extremely
difficult to remove. You're almost certainly looking at wiping your hard
disk and starting from scratch. You may as well search the web for CWS
removal tools (from reputable organizations) since you have everything to
gain and nothing to lose.

If you have read the information I provided for Martin in my earlier post,
Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm
you would have seen that there is a very large section that covers the
Coolwebsearch and it's variety of variants, which is from a very "reputable
organization" of experts in this field. Also, it is not true at all that he
will have to wipe his hard drive to get rid of the variant(s), even if they
are the latest and greatest. That is why he was instructed to post his
HiJackThis log at the forum, so that the experts there who are specialists
with scumware detection and removal and know the necessary procedures can
help him get rid of it without such unnecessary measures.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Ted Zieglar]

I stand by my original post, and certainly not in any mean spirited way,
either. CWS can be - and usually is - notoriously difficult to remove; and
even when it is removed, the process of removal can substantially compromise
a system. Clean install is often the better solution, unless the user has a
known-good disk image.

I emphasized the word 'reputable' because there are plenty of scam web sites
claiming to remove CWS that only stick more malware on the computer. I did
not suggest that the web site you posted is such a scam.

Therefore, a user has "everything to gain and nothing to lose" by attempting
removal, but must understand that clean install could very likely be the
ultimate outcome.

Personally, I image my system partition daily (and sometimes more often) so
if I were to become 'infected' I wouldn't even bother with removal, since I
can restore a recent, known-good image in under 5 minutes and be back on my
way.

 

[Jan Il]

I stand by my original post, and certainly not in any mean spirited way,
either. CWS can be - and usually is - notoriously difficult to remove; and
even when it is removed, the process of removal can substantially
compromise
a system. Clean install is often the better solution, unless the user has
a
known-good disk image.

I emphasized the word 'reputable' because there are plenty of scam web
sites
claiming to remove CWS that only stick more malware on the computer. I did
not suggest that the web site you posted is such a scam.

Therefore, a user has "everything to gain and nothing to lose" by
attempting
removal, but must understand that clean install could very likely be the
ultimate outcome.

It could be, that it may come to that, but, I, nor I dare say, very many
others here or elsewhere, would outrightly recommend such a step unless it
was the ultimate or last resort.

Personally, I image my system partition daily (and sometimes more often)
so
if I were to become 'infected' I wouldn't even bother with removal, since
I
can restore a recent, known-good image in under 5 minutes and be back on
my
way.

Many posters do not, nor can not, have the options you or others may. What
you would do in their case is not what they may have the option to do for
various reasons. And, they not have backup capabilities at the moment to
save their data before wiping and reinstalling.

I try to work with the posters needs, not what I could or would do in their
situation, and I never assume the worst until I come to it.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Martin Lewis]

My last resort is to save all data files to a second hard drive,
reformat and reinstall OS and applications to my c:

It certainly can't hurt to post to forums such as aumha or major geeks.
I could also check with a repair shop in my local area.

did come across Silent Runners http://www.silentrunners.org/ which
offers to disinfect for a fee ($25). Don't know if this is a reputable
site. Assume they mostly look at log files.

In any event, do appreciate your continuing interest...

 

[Ted Zieglar]

I have no knowledge of Silent Runners, but I would be inclined to try the
free forums first. CWS is a widespread menace, so there is lots of
information about it on the internet.

 

[Jan Il]

Hi Martin

My last resort is to save all data files to a second hard drive, reformat
and reinstall OS and applications to my c:

It is good that you have a plan...and capability to carry it out. That will
help should you find you are unable to fully clean or repair the machine and
have no other choice.

It certainly can't hurt to post to forums such as aumha or major geeks.
I could also check with a repair shop in my local area.

did come across Silent Runners http://www.silentrunners.org/ which offers
to disinfect for a fee ($25). Don't know if this is a reputable site.
Assume they mostly look at log files.

There are many other programs that can do the same thing as Silent Runners
for free. Pocket Killbox is one.

Pocket Killbox
http://www.downloads.subratam.org/KillBox.zip
http://forums.techguy.org/printthread.php?t=110854
More information here:
http://www.bleepingcomputer.com/files/killbox.php

Win 95- XP- See for information
http://forums.subratam.org/index.php?showtopic=2681

The main thing is that the cleanup and removal of the malware be done with
little or no further damage to your system to allow you to regain the use of

In any event, do appreciate your continuing interest...

If you're going to see it out, I'll be here.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Martin Lewis]

Still no response from AUMHA. I also joined Major Geeks. Had 2 responses requesting
HijackThis log. One asked that I run SysCleaner from TrendMicro. That didn't show
anything. I'll do some more research but must be careful about downloading programs
which promise to solve problem. I understand that some might cause even more
problems. Once before (6-12 months ago) I was able to clean the computer. Lucky I
guess. There are still other forums I could try.

Just wanted to keep you posted...

Hi Martin


Yes...I'm still with you here.

Yes, the variant(s) you have are able to continue to replicate themselves if
not properly removed. That is why it is important that you posted your HJT
log at the forum for analysis, and let the experts there advise you what you
need to do to thoroughly clean your system.

Thank you for the link. Please be patient, they're always very busy. I
popped to the post in to let them know that I sent you, and that you had
already run all the usual detection and removal tools I provided and the
problem persists. It will narrow things down for them a bit more knowing
what you have already done.

If you have any questions or further replies, please post them to your AumHa
post so that the folks there can follow along.as well. I'll be checking
back there for progress updates too.

Hang in there, we'll have you up and running right again soon.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

--
Martin Lewis
Media Development Specialist
Onondaga Community College
Syracuse, NY
www.sunyocc.edu/~lewism
(e-mail address removed)
(e-mail address removed)

 

[Ted Zieglar]

By now you could have reformatted, reinstalled and been on your way.
Something you might consider.