tried everything, please help

[Guest]

I am at a loss... and going nuts!! I have ran ad-aware, trend micro's scan,
search and destroy and of course yahoo's anti-spy. They all come up clean but
I keep geting alot pop ups. Most of them are from, Update 3: Forbes.com; All
slots casino and www.super-coupon.com with a few others. I have checked my
add and remove programs and went to msconfig to check my start up programs...
nothing suspicous looking in either spot. My pop up blocker is on as well.
Any help will be much apprecaited.

Thanks in advance
lynda

 

[Ted Zieglar]

Your only recourse is to keep trying to remove the adware. Otherwise, you're
looking at a clean install. (I presume that you don't have a backup of your
system partition, since you wouldn't be posting if you did.)

 

[Guest]

I am at a loss... and going nuts!! I have ran ad-aware, trend micro's scan,
search and destroy and of course yahoo's anti-spy. They all come up clean but
I keep geting alot pop ups. Most of them are from, Update 3: Forbes.com; All
slots casino and www.super-coupon.com with a few others. I have checked my
add and remove programs and went to msconfig to check my start up programs...
nothing suspicous looking in either spot. My pop up blocker is on as well.
Any help will be much apprecaited.

Thanks in advance
lynda

You did not mention using "Hijack This" to identify the problem. It
could also help to remove the problem too.

 

[Fitz]

You also should run those scans in SAFE mode.

 

[Wesley Vogel]

Make sure a firewall is turned on. And you need to disable or remove the
Messenger service.

[[If advertisements are opening on your computer in a window titled
Messenger Service, it may indicate that your system is not secure. You
should enable the Internet Connection Firewall and disable the Messenger
Service in Windows XP to help protect your computer from unwanted spam and
other potential threats.

The Messenger Service was originally designed for use by system
administrators to notify Windows users about their networks. However, some
advertisers have started using this service to send information via the
Internet, and these messages could be used maliciously to distribute a
virus.]]
Disabling Messenger Service in Windows XP
http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx

[[These messages are also known as "messenger spam."]]
[[To resolve this issue, install or turn on a firewall that blocks inbound
NetBIOS and UDP broadcast traffic. ]]
[[To work around this issue, turn off the Messenger service.]]
Messenger Service window that contains an Internet advertisement appears
http://support.microsoft.com/default.aspx?scid=kb;en-us;330904

Disabling Messenger Service in Windows XP
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Messenger Service window that contains an Internet advertisement appears
http://support.microsoft.com/default.aspx?scid=kb;en-us;330904

How to prevent Windows Messenger from running on a Windows XP-based computer
http://support.microsoft.com/?kbid=302089

Disable/Remove Windows Messenger
http://www.dougknox.com/xp/utils/xp_mess_disable.htm

[[This is a Visual Basic Script file which will remove Windows® Messenger
from Windows® XP. It will also adjust your System Registry to prevent a long
delay when opening Outlook Express when Windows Messenger is removed or
disabled.]]
Remove Windows Messenger
http://www.dougknox.com/xp/tips/xp_messenger_remove.htm

How to block Pop-ups?
Messenger Service Advertisements
http://windowsxp.mvps.org/Popups.htm

Also here...
http://www.kellys-korner-xp.com/xp_tweaks.htm

Read the instructions at the top

59. Disable Messenger in Outlook Express

193. Right hand side
Disable Messenger from Outlook

HOW TO: Enable or Disable Internet Connection Firewall in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;283673

Microsoft Protect Your PC Website
http://www.microsoft.com/security/protect/

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

AGGGGHHHH!!! I removed the messenger service, i made sure the fire wall was
up (it was), i ran all the spam and adware removal programs in safe mode, and
i am still stuck with pop ups ( I also tried my systems restore ...
nothing is working. just in the time it took me to write this i have gotten
4 pop ups. I really dont want to do a clean install, i would have so much
stuff to save. If there is anything else I can try???

Thxs for all your help thus far and in the future

lynda

Make sure a firewall is turned on. And you need to disable or remove the
Messenger service.

[[If advertisements are opening on your computer in a window titled
Messenger Service, it may indicate that your system is not secure. You
should enable the Internet Connection Firewall and disable the Messenger
Service in Windows XP to help protect your computer from unwanted spam and
other potential threats.

The Messenger Service was originally designed for use by system
administrators to notify Windows users about their networks. However, some
advertisers have started using this service to send information via the
Internet, and these messages could be used maliciously to distribute a
virus.]]
Disabling Messenger Service in Windows XP
http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx

[[These messages are also known as "messenger spam."]]
[[To resolve this issue, install or turn on a firewall that blocks inbound
NetBIOS and UDP broadcast traffic. ]]
[[To work around this issue, turn off the Messenger service.]]
Messenger Service window that contains an Internet advertisement appears
http://support.microsoft.com/default.aspx?scid=kb;en-us;330904

Disabling Messenger Service in Windows XP
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Messenger Service window that contains an Internet advertisement appears
http://support.microsoft.com/default.aspx?scid=kb;en-us;330904

How to prevent Windows Messenger from running on a Windows XP-based computer
http://support.microsoft.com/?kbid=302089

Disable/Remove Windows Messenger
http://www.dougknox.com/xp/utils/xp_mess_disable.htm

[[This is a Visual Basic Script file which will remove Windows® Messenger
from Windows® XP. It will also adjust your System Registry to prevent a long
delay when opening Outlook Express when Windows Messenger is removed or
disabled.]]
Remove Windows Messenger
http://www.dougknox.com/xp/tips/xp_messenger_remove.htm

How to block Pop-ups?
Messenger Service Advertisements
http://windowsxp.mvps.org/Popups.htm

Also here...
http://www.kellys-korner-xp.com/xp_tweaks.htm

Read the instructions at the top

59. Disable Messenger in Outlook Express

193. Right hand side
Disable Messenger from Outlook

HOW TO: Enable or Disable Internet Connection Firewall in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;283673

Microsoft Protect Your PC Website
http://www.microsoft.com/security/protect/

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I am at a loss... and going nuts!! I have ran ad-aware, trend micro's
scan, search and destroy and of course yahoo's anti-spy. They all come up
clean but I keep geting alot pop ups. Most of them are from, Update 3:
Forbes.com; All slots casino and www.super-coupon.com with a few others.
I have checked my add and remove programs and went to msconfig to check
my start up programs... nothing suspicous looking in either spot. My pop
up blocker is on as well. Any help will be much apprecaited.

Thanks in advance
lynda

 

[ANONYMOUS]

Lynda,

You should download Microsoft's antispyware Beta 1 and scan your system
throughly (only after you have updated it with the new definitions
file). Then download a hosts file from here:

http://www.mvps.org/winhelp2002/hosts.htm

and put it in the right place.

hth

 

[Guest]

ok... I downloaded microsofts antispy beta.... found 3 trojoans and deleted
them, rebooted, ran the scan again, was clean. Got back on the internet and
BAM.... stil the &^%$& pop ups
WHAAA!! Ran a hijack this and this is my log.... maybe someone can tell me
what is bad?

Logfile of HijackThis v1.99.1
Scan saved at 11:30:28 PM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRA~1\MSNGAM~1\zproxy.exe
C:\PROGRA~1\MSNGAM~1\zone.exe
C:\Documents and Settings\LyndaFaye\Local Settings\Temporary Internet
Files\Content.IE5\WLAB01EF\hijackthis[1]\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O16 - DPF: Yahoo! Checkers -
http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Dots -
http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Pool 2 -
http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) -
http://zone.msn.com/binFrameWork/v10/StagingUI.cab40443.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) -
http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) -
http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131827068218
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager
Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) -
http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune
Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab34501.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) -
http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer
ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) -
http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{06942634-3EBB-40C3-B502-8601737917B7}:
NameServer = 206.141.193.55 66.73.20.40
O17 -
HKLM\System\CS3\Services\Tcpip\..\{06942634-3EBB-40C3-B502-8601737917B7}:
NameServer = 206.141.193.55 66.73.20.40
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\p2r40c9qef.dll (file
missing)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\lv2u09f9e.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak
Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

once again thanks for any help,
lynda

 

[Fitz]

lynda...

Try posting your HijackThis log at www.castlecops.com or similar forum.
That's where those experts for HijackThis hangout. I do see some problems
in your log and they might be able to help.
***

ok... I downloaded microsofts antispy beta.... found 3 trojoans and
deleted
them, rebooted, ran the scan again, was clean. Got back on the internet
and
BAM.... stil the &^%$& pop ups
WHAAA!! Ran a hijack this and this is my log.... maybe someone can tell
me
what is bad?

Logfile of HijackThis v1.99.1
Scan saved at 11:30:28 PM, on 11/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

SNIPPED

 

[Wesley Vogel]

lynda,

You still have *many* bad things that you do not want. Play a lot of online
games?

Post your HijackThis log somewhere like...
http://aumha.net/viewforum.php?f=30

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[joevan]

WHAAA!! Ran a hijack this and this is my log.... maybe someone can tell me
what is bad?

Are you an online casino freek? See the following and take the
appropriate action.

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl
Class) -
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from
unknown sites should always be fixed. If the name of the
ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free
plugin' etc, it should be fixed!
Check if you know this site and fix it if you do not.
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763}
(ZPA_WheelOfFortune
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from
unknown sites should always be fixed. If the name of the
ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free
plugin' etc, it should be fixed!
Check if you know this site and fix it if you do not.
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from
unknown sites should always be fixed. If the name of the
ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free
plugin' etc, it should be fixed!
Check if you know this site and fix it if you do not.
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr
Class) -
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from
unknown sites should always be fixed. If the name of the
ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free
plugin' etc, it should be fixed!
Check if you know this site and fix it if you do not.
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from
unknown sites should always be fixed. If the name of the
ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free
plugin' etc, it should be fixed!
Check if you know this site and fix it if you do not.
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class)
-
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from
unknown sites should always be fixed. If the name of the
ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free
plugin' etc, it should be fixed!
Check if you know this site and fix it if you do not.
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown
Installer
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from
unknown sites should always be fixed. If the name of the
ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free
plugin' etc, it should be fixed!
Check if you know this site and fix it if you do not.


O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl
Class) -
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from
unknown sites should always be fixed. If the name of the
ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free
plugin' etc, it should be fixed!
Check if you know this

 

[Guest]

Try to remove it with hitman pro that installs a whole lot of antispyware
programs and runs em one after another. Some companies that make antispyware
have agreements with spyware companies to let their spyware through the scan.
Also never use a spyware program recommended in a pop up their instaal more
then remove.