pop ups ( z1adsever )

[Guest]

MAS does not seam to be able to remove this pop-up, I
have run hijack this: Logfile of HijackThis v1.97.7
Scan saved at 9:46:27 AM, on 9/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\0foybkx3\0foybkx3.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\0foybkx3\10243602.exe
C:\Program Files\0foybkx3\0foybkx3.exe
C:\WINDOWS\system32\n?tepad.exe
C:\Program Files\apsi\wtta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch = www.google.ca
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = www.google.ca
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,Shellnext = http://www.hp.com/go/PhotoWorks-eLife-
Pictures-43NAred
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
00C04FD64497} - (no file)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-
2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-
14D1EFB7946A} - C:\Program Files\Yahoo!
\Common\YIeTagBm.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-
FADC6B084872} - c:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - c:\Program Files\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv]
c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32
\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page
Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program
Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1
\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32
\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1
\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [0foybkx3] C:\Program Files\0foybkx3
\0foybkx3.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!
\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1
\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Azpl] C:\WINDOWS\system32\n?tepad.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search -
file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... -
C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary -
file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -
file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -
file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: StarLuck.com (HKLM)
O9 - Extra 'Tools' menuitem: StarLuck.com (HKLM)
O9 - Extra button: Yahoo! Services (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program
files\google\google desktop
search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program
files\google\google desktop
search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program
files\google\google desktop
search\googledesktopnetwork1.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
(YInstStarter Class) - C:\Program Files\Yahoo!
\Common\yinsthelper.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloa
der.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
Chat Control 4.5) -
http://chat.msn.com/controls/msnchat45.cab
can anyone see any files that I can remove to stop this
pop-up thanks Hal

 

[Anonymous Bob]

MAS does not seam to be able to remove this pop-up, I
have run hijack this: Logfile of HijackThis v1.97.7
Scan saved at 9:46:27 AM, on 9/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Since no one else has responded, I'm no expert, but I'll give it a shot.<g>

There are several things that stand out in your log:
You're running both AVG and Norton. This is generally not a good idea, since
they could interfere with each other.

http://startup.iamnotageek.com/srch-wtta.exe.html

http://startup.iamnotageek.com/srch-Notn.html

http://castlecops.com/s8867-wtta_exe.html

http://castlecops.com/s7828-n_tepad_exe.html

StarLuck.com
Online gambling sites are notorious sources of infection.

10243602.exe
0foybkx3.exe
Random file names are commonly used to defeat removal efforts. Delete the
entire folder.

Have you tried running MSAS in safe mode?

You could also try AdAware:
http://www.lavasoftusa.com/software/adaware/

Good luck,
Bob Vanderveen