Results 1 to 7 of 7
  1. #1
    Member joshg's Avatar
    Join Date
    Aug 2004
    Posts
    3
    Points
    0

    Default Nasty pop-up thing on my PC...

    :cry:

    spybot & ad-aware both say i'm clean, but pop-ups are coming all the time. appear to be served from "valuead.com".

    Can anyone please please help me? I'm going crazy with this.

    HJT log below...

    thanks in advance,
    --josh
    ------------------------------
    Logfile of HijackThis v1.98.1
    Scan saved at 12:33:22 AM, on 8/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Ghrone\Ghrone.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\WINDOWS\System32\ttbvwr.exe
    C:\Program Files\Sunbelt Software\AutoPilot\APControl.exe
    C:\PROGRA~1\SUNBEL~1\AUTOPI~1\System\VBSrv.exe
    C:\Documents and Settings\Josh\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {6DFE4C5C-B41B-2CB7-8327-11550BD22E10} - C:\WINDOWS\System32\dltb.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Teoma Bar - {4194307F-65BB-454A-81D4-9E8A9D7CBAEA} - C:\WINDOWS\System32\teomabAB.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo 2200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus Photo 2200" /O13 "LPT3:PS596982" /M "Stylus Photo 2200"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [Ghrone] C:\Program Files\Ghrone\Ghrone.exe
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [Yozjy] C:\WINDOWS\System32\ttbvwr.exe
    O4 - Global Startup: AutpPilot Control.lnk = ?
    O4 - Global Startup: Shortcut to PopFilter.lnk = C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Dictionary Search - javascript:external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection-word'"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Teoma Search - javascript:external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection'"
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyhoroscope.net/mdh/install.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {13A6F8EA-E2D0-40EE-B7CF-ECE5600F18B4} (SightSpeed_Check.System_Test) - http://www.sightspeed.com/files/SightSpeed_Check.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} (Teoma Installer Control) - http://sp.ask.com/docs/teoma/toolbar...eomab-inst.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/217c1129a7919ab...p/RdxIE601.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.6/ttinst.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup141.cab
    O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test.toontown.com/sv...st/tt_test.cab

  2. #2
    Administrator Help2Go Administrator Canuck's Avatar
    Join Date
    May 2003
    Location
    Edmonton, Alberta, Canada
    Posts
    9,817
    Points
    2034

    Default

    Have you followed the instructions here http://www.help2go.com/postt8026.html ? If so great, if not please follow all instructions and post log to this thread.

  3. #3
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

    O2 - BHO: (no name) - {6DFE4C5C-B41B-2CB7-8327-11550BD22E10} - C:\WINDOWS\System32\dltb.dll

    O4 - HKCU\..\Run: [Yozjy] C:\WINDOWS\System32\ttbvwr.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/217c1129a7919ab...p/RdxIE601.cab


    Do you know what this is ?

    O4 - HKCU\..\Run: [Ghrone] C:\Program Files\Ghrone\Ghrone.exe

    If it is the translucent clock by Garoosoft ... ok

    If you don't know what it is, include the run key to be fixed, and delete the "Ghrone" folder

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  4. #4
    Member joshg's Avatar
    Join Date
    Aug 2004
    Posts
    3
    Points
    0

    Default

    Thank you both so much... off to try that now. had already followed all the other instructions.

    Yes, Ghrone is the transparent clock app, which I like.

    thanks again, will report back.

    --josh

  5. #5
    Member joshg's Avatar
    Join Date
    Aug 2004
    Posts
    3
    Points
    0

    Default

    Yay!! you're awesome...

    looks like it worked.

    any idea why spybot and ad-aware didn't take care of it since it was something you recognized?

    Thanks again,
    --josh

  6. #6
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi josh

    You're very welcome

    Actualy, I didn't recognise it ... the BHO and run key were both random, and no legitimate program needs to use random files\filenames.

    As everything else in your log was OK, the problem had to lie with these ...

    The fact that they are random ... clsid and filename makes it difficult for adaware or spybot to find them (as everytime they are different)

    cheers

    steam

    As this thread is now resolved ... it can be locked ... cheers
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  7. #7
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    Steam is smarter than Adaware or Spybot :lol:

    This topic is closed:

    Cheers