installed popup.

mike2h · Jun 29, 2004, 04:25 PM

i have this popup that comes up every time i close a window. it is basically a window telling me i have 'spyware' & to click on the button to go to their site/be scanned.
i have adaware installed. i installed cw shredder, spybot, & popup manager. while they all got rid of stuff, none of them seem to be able to find/get rid of this .. whatever it is.
not 100% sure(gonna test it in a min) but i think it is a prog on my comp. think it popped up when i was offline.
HELP PLEASE. IT IS DRIVING ME CRAZY(er)!!

edit
yeh it is something on my comp. i turned of my network & clicked on my home page. the standard canot find server came up. as soon as i closed it i got the popup with the cannot find server.
fyi it seems the 'i have spyware' message is not the only one seems there are a couple of others but that one is the most prevalent by far.

PoopyTheJ · Jun 29, 2004, 04:47 PM

Try spyware blaster as one step, the other would be find out where the popup is accessing, what server and block that server in your hosts file. Oh yeah HIjack this should tell you whats going on in your registry as well might find it there, if you can't figure it out I'm sure someone here can help just upload the log file.

mike2h · Jun 29, 2004, 04:51 PM

well i ran all those programs again. twice. setup a discscan & rebooted. went to my msn.com, closed it, no popup. so far, good. went to one of my stock pages at motleyfool.com. closed it- no problem. alright! things are looking good. came here closed the page & there it was again. went back to the other 2 sites & sure enough it 'popped up' on both of them after closing. antbody got a clue? is anybody else having this problem?

MythicaL · Jun 29, 2004, 04:53 PM

Try HiJackThis from www.spywareinfo.com/~merijn/

mike2h · Jun 29, 2004, 05:00 PM

thx both of you. keep this up, i will have more spyware/popup software installed on my comp than reg progs.

mike2h · Jun 29, 2004, 05:25 PM

in case somebody knows what is what here is the logfile from hijack.
i already del the entries i was sure about. did not help.

Logfile of HijackThis v1.97.7
Scan saved at 3:22:34 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\ll_mtfm.exe
C:\Documents and Settings\mike\Desktop\downloads\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ll_mtfm] C:\WINDOWS\System32\ll_mtfm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...925.6012268519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab

PoopyTheJ · Jun 29, 2004, 06:04 PM

ll_mtfm.exe dunno what that is, try running IE with activex completely disabled see if that helps. MAke sure messenger is disabled as well.

mike2h · Jun 29, 2004, 07:05 PM

spybot keeps finding something called dso exploit. there are 5 entries underneath. it deletes them but they keep coming back. does not appear to be th vx2 thing like i originally thought.

PoopyTheJ · Jun 29, 2004, 07:33 PM

Just for fun try blocking this server in your hosts file a.as-us.falkag.net. You said it showed back up after visiting DH, see if that gets rid of it, if so.... send Z a PM about it it's the DH adserver doing it, and I know he's not fond of that kind of stuff.