Popup Ads in IE6 when using Google

[Jan Il]

Hi Martin

Still no response from AUMHA. I also joined Major Geeks. Had 2 responses
requesting
HijackThis log. One asked that I run SysCleaner from TrendMicro. That
didn't show
anything. I'll do some more research but must be careful about
downloading programs
which promise to solve problem. I understand that some might cause even
more
problems. Once before (6-12 months ago) I was able to clean the computer.
Lucky I
guess. There are still other forums I could try.

Just wanted to keep you posted...

Thank you. They truly are covered up right now. Perhaps you should also
try posting to the Bleeping Computer. Run a new HJT scan log in Safe Mode,
and then post the log to the Bleeping Computer forum here. Although, they
are very busy there too:

Bleeping Computer Forum
http://www.bleepingcomputer.com/forums/forum22.html

While waiting, try these other removal tools that have proven to be very
successful against some variants of this malware. They must might do the
trick:

About Buster:
http://www.majorgeeks.com/download4289.html

Also, download run the Pocket Killbox. It has been very successful in
removing some variants as well. Please read the information and follow all
instructions carefully.

Pocket Killbox
http://www.downloads.subratam.org/KillBox.zip
http://forums.techguy.org/printthread.php?t=110854
More information here:
http://www.bleepingcomputer.com/files/killbox.php

Win 95- XP- See for information
http://forums.subratam.org/index.php?showtopic=2681


Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Martin Lewis]

I've been working with a couple of forums.

One had me try a trial version to a program called Trojan Hunter. It removed around 68
files.
Someone on Spyware Warrier reviewed my HijackThis Logs and walked me thru deleting a
number of entries.

I seem to be ok now. Last issue is in my Add/Remove. Not causing any problems, but there
are three listing which cannot be removed w/normal methods. Deleted CasProg and
associated file located in windows/system. Will work on "Offer Optimizer" and "Shopping
Wizard".

I will probably remove microsoft java and replace with Sun in the near future.

Thanks for following this thread.

Hi Martin


Thank you. They truly are covered up right now. Perhaps you should also
try posting to the Bleeping Computer. Run a new HJT scan log in Safe Mode,
and then post the log to the Bleeping Computer forum here. Although, they
are very busy there too:

Bleeping Computer Forum
http://www.bleepingcomputer.com/forums/forum22.html

While waiting, try these other removal tools that have proven to be very
successful against some variants of this malware. They must might do the
trick:

About Buster:
http://www.majorgeeks.com/download4289.html

Also, download run the Pocket Killbox. It has been very successful in
removing some variants as well. Please read the information and follow all
instructions carefully.

Pocket Killbox
http://www.downloads.subratam.org/KillBox.zip
http://forums.techguy.org/printthread.php?t=110854
More information here:
http://www.bleepingcomputer.com/files/killbox.php

Win 95- XP- See for information
http://forums.subratam.org/index.php?showtopic=2681

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

--
Martin Lewis
Media Development Specialist
Onondaga Community College
Syracuse, NY
www.sunyocc.edu/~lewism
(e-mail address removed)
(e-mail address removed)

 

[Jan Il]

Hi Martin

I've been working with a couple of forums.

One had me try a trial version to a program called Trojan Hunter. It
removed around 68
files.
Someone on Spyware Warrier reviewed my HijackThis Logs and walked me thru
deleting a
number of entries.

I seem to be ok now. Last issue is in my Add/Remove. Not causing any
problems, but there
are three listing which cannot be removed w/normal methods. Deleted
CasProg and
associated file located in windows/system. Will work on "Offer Optimizer"
and "Shopping
Wizard".

Have you tried to delete the ones you have problems deleting in Safe Mode?
There are some types of scumware that tie themselves to files that are in
use when working from within Windows, that can be accessed from Safe Mode
when not using Windows. Also, have you tried Pocket Killbox? I provieded
the download for that one too, I believe. It is for the very resistant
sucmeares that don't want to say "Goodnight Gracie" gracefully. Anyway,
here it is again.

Pocket Killbox
http://www.downloads.subratam.org/KillBox.zip
http://forums.techguy.org/printthread.php?t=110854
More information here:
http://www.bleepingcomputer.com/files/killbox.php

See if that will get rid of them. Run it in Safe Mode as well.

Thank you for keeping me posted. You're doing a great job, Martin.

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

I will probably remove microsoft java and replace with Sun in the near
future.

Thanks for following this thread.

Glad to hear that you have been able to make some good progress, and thus
far have your system on the mend.

 

[Jan Il]

Hi Martin

I'm still here, and hope you are too. I found your HJT log post on the
Spyware Warrior forum and then consulted with a few of the Security guru
MVP's about the problem with the two remaining programs, and MS MVP-Mow
Green offered this suggestion:

/quote/

Have them take a look at this registry key :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App
Management\ARPCache

See if Offer Optimizer and Shopping Wizard are listed . The subkey for
it will be in the left frame under the ARPCache folder.
Have the OP right click the subkey and choose Export first, that way if
anything goes amiss it can be restored ...
After backing it up, preferrably to the Desktop, then right click the
subkey and choose Delete.
Restart the system when done.

Mow
/end quote/

I had somewhat suspected that they might be hold up in the registry in some
way, but, not being that experienced yet with tracking and removing these
types of files in the Registry I did not want to suggest anything until I
got more input from the experts in that field.

If you wish, you can try Mow's suggestion and see if the files are there and
can be removed in that manner. These residual files may be continuing to
drag your system down

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Martin Lewis]

Can't locate HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App
Management\ARPCache. Perhaps because this is Win98? Shopping Wizard is located in:
Hkey_Local_Machine\Software\Microsoft\Windows\Uninstall\ShoppingWizard with uninstall string:

rundll32 url.dll,FileProtocolHandler "http://buckstoolbar.com/uninstall/ShoppingWizard.html"

Got rid of OfferOptimizer with an external add/remove program which identified the key.
deleted the key removed the entry. Didn't affect the computer.

There's another Uninstall I see:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\
ZZ-ZZ-CnULbQl4UyhcOVIiQUdBW0VHRk9CQVtGQ0BCRzVHRFtGC0ALRwsj
BlwlWzRbOTU7SCA=

Lastly, I question Viewpoint Manager (remove only) and Viewpoint Media Player.

Note that I deleted most of the tread quoted at the bottom of this message.

This is almost getting to be fun (as long as I don't get carried away...)

Hi Martin

I'm still here, and hope you are too. I found your HJT log post on the
Spyware Warrior forum and then consulted with a few of the Security guru
MVP's about the problem with the two remaining programs, and MS MVP-Mow
Green offered this suggestion:

/quote/

Have them take a look at this registry key :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App
Management\ARPCache

See if Offer Optimizer and Shopping Wizard are listed . The subkey for
it will be in the left frame under the ARPCache folder.
Have the OP right click the subkey and choose Export first, that way if
anything goes amiss it can be restored ...
After backing it up, preferrably to the Desktop, then right click the
subkey and choose Delete.
Restart the system when done.

Mow
/end quote/

I had somewhat suspected that they might be hold up in the registry in some
way, but, not being that experienced yet with tracking and removing these
types of files in the Registry I did not want to suggest anything until I
got more input from the experts in that field.

If you wish, you can try Mow's suggestion and see if the files are there and
can be removed in that manner. These residual files may be continuing to
drag your system down

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

--
Martin Lewis
Media Development Specialist
Onondaga Community College
Syracuse, NY
www.sunyocc.edu/~lewism
(e-mail address removed)
(e-mail address removed)

 

[Jan Il]

Hi Martin

Can't locate
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App
Management\ARPCache. Perhaps because this is Win98? Shopping Wizard is
located in:
Hkey_Local_Machine\Software\Microsoft\Windows\Uninstall\ShoppingWizard
with uninstall string:

rundll32 url.dll,FileProtocolHandler
"http://buckstoolbar.com/uninstall/ShoppingWizard.html"

Got rid of OfferOptimizer with an external add/remove program which
identified the key.
deleted the key removed the entry. Didn't affect the computer.

OK...not sure getting rid of the rest will help performance, but, at least
you will be able to have a clear conscience that these 'bugs' are are no
longer on your system, and you managed to beat them at their own game!

There's another Uninstall I see:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\
ZZ-ZZ-CnULbQl4UyhcOVIiQUdBW0VHRk9CQVtGQ0BCRzVHRFtGC0ALRwsj
BlwlWzRbOTU7SCA=

Lastly, I question Viewpoint Manager (remove only) and Viewpoint Media
Player.

I think these may be legit, but, I'll check back with the guru and see what

Note that I deleted most of the tread quoted at the bottom of this
message.

Fine, we don't need them anymore at this point.

This is almost getting to be fun (as long as I don't get carried away...)

Lol! Just be careful about what you delete in the Registry, and make sure
you have it backed up just in case. Now see what you would have missed if
you had just wiped and reloaded. They are some things to be said for the
hunt. And some lessons are well worth learning. <s>

I'll be back with more info. You're almost there.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm


<snipped>

 

[Jan Il]

Hi Martin

Ok....more input from the trenches <g>

Here is the next steps from Mow:

/quote/
Am going to fire up an install of 98 ....

Delete the Shopping Wizard subkey of
Hkey_Local_Machine\Software\Microsoft\Windows\Uninstall
That will remove it from Add/Remove Programs.

This key :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\
ZZ-ZZ-CnULbQl4UyhcOVIiQUdBW0VHRk9CQVtGQ0BCRzVHRFtGC0ALRwsjBlwlWzRbOTU7SCA=

does not look kosher to me. If it's clicked on in the left frame, what
is showing in the right frame ? That would be the way to determine if
it's malicious or not. If it were me, I'd Export it to the Desktop,
delete it, reboot to see if there are any negative effects.

The keys in the right frame window should read as this if no name is listed
:
{3248F0A8-6813-11D6-A77B-00B0D0150030}
or this :
{F7D2F453-B593-4875-9635-9B79FD77A81C}

As far as Viewpoint, it's a bandwidth hog at worst. In an Enterprise
environment I can definitely see removing it. Heck, even in a Home or
Small Business setting I can't see what it's ever been used for.
It's one of those grey area apps that some say should go, some say it's
not malicious. I just ignore it. Jim Eshelman says remove it. Go figure.
If I had one iota of proof that it downloads malware I'd recommend
removing it every time I saw it.
/end quote/

So, let's see how you do with the Shopping Wizard removal. As for the
Viewpoint, if it has no use for you then it is just one more useless item on
your system. However, I will leave the decision for you to make on that
one.

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm