pop up across desktop

[Steve T]

Don't know what this is or how to get rid of it. Started popping up across
my desktop over the weekend after, I think; downloaded some videos from
Youtube with a converter. I have removed the program and Google's IE bar as
I thought that was the problem. I have run my AV, Ad-Aware, Spybot and AVG's
anti rootkit. Task manager shows it as a running process when it appears. I
can shut it down, but after a while it pops up onto the desktop. It appears
as an ad and sometimes just an advertisement for a product. Here it is
translated with IE 6:

You have an Internet site, a blog, a myspace page? You want an address
short, original and sympathetic? www.C.LA proposes to you to create in two
minutes your own domain name free and easy to retain.

For example:

www.myspace.com/tom becomes tom.c.la

winsteadfan.free.fr becomes winsteadfan.c.la

www.myspace.com/lespiedssurscene becomes lespiedssurscene.c.la!

The free redirection functions by defect with a very discrete stringcourse
at the foot of the page to avoid the abuses like the phishing. To make
withdraw this stringcourse it is enough for you to establish a link towards
www.C.LA and to warn us for validation. You profit thus from a free
redirection and without publicity.



Thanks, Steve T

 

[Guest]

I don't have an answer for your problem, but just a comment.
I had visited You tube and watched a video, soon after I started getting a
download trojan, trying to install itself in my pc, luckly my AV software
caught it.

I suggest you try Adaware and spybot search and destroy and also hijack this.
do not upload the log from hijackthis to this forum.

 

[David H. Lipman]

From: "Steve T" <[email protected]>

| Don't know what this is or how to get rid of it. Started popping up across
| my desktop over the weekend after, I think; downloaded some videos from
| Youtube with a converter. I have removed the program and Google's IE bar as
| I thought that was the problem. I have run my AV, Ad-Aware, Spybot and AVG's
| anti rootkit. Task manager shows it as a running process when it appears. I
| can shut it down, but after a while it pops up onto the desktop. It appears
| as an ad and sometimes just an advertisement for a product. Here it is
| translated with IE 6:
|
| You have an Internet site, a blog, a myspace page? You want an address
| short, original and sympathetic? www.C.LA proposes to you to create in two
| minutes your own domain name free and easy to retain.
|
| For example:
|
| www.myspace.com/tom becomes tom.c.la
|
| winsteadfan.free.fr becomes winsteadfan.c.la
|
| www.myspace.com/lespiedssurscene becomes lespiedssurscene.c.la!
|
| The free redirection functions by defect with a very discrete stringcourse
| at the foot of the page to avoid the abuses like the phishing. To make
| withdraw this stringcourse it is enough for you to establish a link towards
| www.C.LA and to warn us for validation. You profit thus from a free
| redirection and without publicity.
|
| Thanks, Steve T
|


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE 2007
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Steve T]

Dave is there another site for this tool download, I don't speak German?
I've tried Googleing but it keeps giving a site that's unavailable, and it
is on your site too. Thanks, Steve T.

From: "Steve T" <[email protected]>

| Don't know what this is or how to get rid of it. Started popping up
across
| my desktop over the weekend after, I think; downloaded some videos from
| Youtube with a converter. I have removed the program and Google's IE bar
as
| I thought that was the problem. I have run my AV, Ad-Aware, Spybot and
AVG's
| anti rootkit. Task manager shows it as a running process when it
appears. I
| can shut it down, but after a while it pops up onto the desktop. It
appears
| as an ad and sometimes just an advertisement for a product. Here it is
| translated with IE 6:
|
| You have an Internet site, a blog, a myspace page? You want an address
| short, original and sympathetic? www.C.LA proposes to you to create in
two
| minutes your own domain name free and easy to retain.
|
| For example:
|
| www.myspace.com/tom becomes tom.c.la
|
| winsteadfan.free.fr becomes winsteadfan.c.la
|
| www.myspace.com/lespiedssurscene becomes lespiedssurscene.c.la!
|
| The free redirection functions by defect with a very discrete
stringcourse
| at the foot of the page to avoid the abuses like the phishing. To make
| withdraw this stringcourse it is enough for you to establish a link
towards
| www.C.LA and to warn us for validation. You profit thus from a free
| redirection and without publicity.
|
| Thanks, Steve T
|


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE 2007
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Plato]

Don't know what this is or how to get rid of it. Started popping up across
my desktop over the weekend after, I think; downloaded some videos from

http://www.bootdisk.com/xptop20.htm#3

 

[Leythos]

Dave is there another site for this tool download, I don't speak German?
I've tried Googleing but it keeps giving a site that's unavailable, and it
is on your site too. Thanks, Steve T.

http://www.pctipp.ch/index.cfm?pid=1411&pk=28470

The original site was taken down my a malicious zealot with a faked DMCA
violation claim and the hosting company would not believe anyone that
provided proof the file was legit.

The link I posted above will take you directly to the download site, in
about 10 seconds it should pop-up a download, save it to disk, run it
once it's downloaded, and you'll love the results - the best cleaning
tool I've used in ages.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[David H. Lipman]

From: "Leythos" <[email protected]>


|
| http://www.pctipp.ch/index.cfm?pid=1411&pk=28470
|
| The original site was taken down my a malicious zealot with a faked DMCA
| violation claim and the hosting company would not believe anyone that
| provided proof the file was legit.
|
| The link I posted above will take you directly to the download site, in
| about 10 seconds it should pop-up a download, save it to disk, run it
| once it's downloaded, and you'll love the results - the best cleaning
| tool I've used in ages.
|

Thanx Leythos

 

[Steve T]

Sorry it took so long to reply back. Here is what I did:
Ran Ad-Aware Se, Spybot and SuperAnti all in Normal and Safe Modes.
I ran my AV, CA; in both modes.
I downloaded Multi_AV and ran all 4 modules in both modes.
The first Sophos, in normal mode; found 7 infections and cleaned them all.
It did not find anything in Safe Mode after.
TrendMicro did not find any viruses
McAfee found 1 possible virus but did not clean it
Total files 259,147 Clean 257,425. Don't know why the disparity is there
Kaspersky found 1 known virus, 2 virus bodies, disinfected 0, deleted 1
After all this, the pop up comes back up. First the body of the text that I
included, then an ad later for phones, blogs, date services, porn, etc.
Maybe I should just have Gateway go through the recovery process of
restoring my PC to what it was when I first got it and then delete whatever
backup files it creates? I can be selective of the data files I save. It
won't be any youtube videos! Thanks, Steve T.

 

[Steve T]

I forgot to mention that it was pretty disheartening to see these pop ups
come up while the AV's were doing their scans in normal mode. Did not occur
in Safe Mode. Steve T.

Sorry it took so long to reply back. Here is what I did:
Ran Ad-Aware Se, Spybot and SuperAnti all in Normal and Safe Modes.
I ran my AV, CA; in both modes.
I downloaded Multi_AV and ran all 4 modules in both modes.
The first Sophos, in normal mode; found 7 infections and cleaned them all.
It did not find anything in Safe Mode after.
TrendMicro did not find any viruses
McAfee found 1 possible virus but did not clean it
Total files 259,147 Clean 257,425. Don't know why the disparity is there
Kaspersky found 1 known virus, 2 virus bodies, disinfected 0, deleted 1
After all this, the pop up comes back up. First the body of the text that
I included, then an ad later for phones, blogs, date services, porn, etc.
Maybe I should just have Gateway go through the recovery process of
restoring my PC to what it was when I first got it and then delete
whatever backup files it creates? I can be selective of the data files I
save. It won't be any youtube videos! Thanks, Steve T.

 

[Guest]

Hey Steve, I knew all these popup ads and especially those antispyware sponsor companies.
It also happened to me when a searched The Rose song by Bette Midler on Google. Why not fights
fire with fire? Use one of their software and this is very good: http://www.superantispyware.com
download it and upgrade immediately then press Scan Your Computer button then check all your
hard drives and tick Complete Scan and Next button to start scanning. Delete everything it found.

Just remember to scan PC after every online visits (the free HOME edition is sufficient for your needs)
if you like Real Time Protection then you've to buy their Professional edition.

Wish US Congress do something to clean-up the dirty Internet and WWW.

-Rino

I forgot to mention that it was pretty disheartening to see these pop ups
come up while the AV's were doing their scans in normal mode. Did not occur
in Safe Mode. Steve T.

 

[Steve T]

This is one of the anti-spyware programs I've used. Still no cure. Steve T.

 

[Steve T]

I had ZoneAlarm Pro on my PC but removed it about a month ago because of the
slow
boot times and "popular" opinion is if you already have a router (I do)
don't use another firewall. I just used the XP firewall. I had re-installed
Zone Alarm prior to your suggestion and did not experience the pop ups. I
received an alert about "isys32.exe" trying to access the internet, which I
declined at first. The second time I allowed it access and it is the
culprit! I got connected to
that damn French website (xxx.pourxxxx.x.xx). I set Zone Alarm to Kill this
program and then found it in Windows\System32 and deleted it.
No more pop ups for the last couple of hours anyway. Anybody know what this
isys32.exe file is anyway? A search brought
up a bunch of spyware topics so that must have been it. I'll get back to you
if it happens again. Curious why none of the AV or spyware
programs could find it. Thanks, Steve T.