Google Answers Logo
View Question
Q: Pop-up Ad "Virus" ( Answered,   2 Comments )
Subject: Pop-up Ad "Virus"
Category: Computers > Internet
Asked by: cfsandy-ga
List Price: $2.00
Posted: 14 Dec 2003 18:22 PST
Expires: 13 Jan 2004 18:22 PST
Question ID: 287182
Every time I log into Google I immediately get 1 or 2 pop up adds.
Then when I go to another web site, I get 1 or 2 pop-up ads ALWAYS.
This just started a couple of days ago. I have a pop-up ad "virus."
Pop-ups include Expedia, Single Dating, Axis Point Financial, Traffic
Venue Network, etc. Something put this in my do I get it
out? I have run Ad-Aware 6.0 and deletted cookies and temporary
internet files and it is still there.

Request for Question Clarification by endo-ga on 14 Dec 2003 22:01 PST

Please try running the following:


Hijack This


Clarification of Question by cfsandy-ga on 15 Dec 2003 08:30 PST
Thank you for the clarification and both comments. I have run spybot
and removed 100% of any program that they mention...I ran Adware
6.0...and removed anything they mentioned including the Weatherbug
program...and I still get 2 to 3 pop-ups for University of Phoenix,
Expedia, CheapTickets, Tickle Matchmaking, etc every time I go to a
new web site.

But...I will update each program and totally uninstall the
Weatherbug...and see if this clears up the problem. Also one of the
dominant pop-ups is from and I have a call into
their sales department (the only phone number they supply) to see how
I can remove their irratating pop-up adds.

Clarification of Question by cfsandy-ga on 15 Dec 2003 19:09 PST
Grrrr...I have updated Spybot and Ad-Ware 6.0 and uninstalled
WeatherBug. Then ran Spybot and Ad-Ware...then rebooted my computer
and ran each of them again eliminating 100% of what was there. The
last time each had nothing to eliminate. And...when I clicked
Google..up came a pop-up. Then every 2nd time or so when I would surf
to a new web page..up would come another pop-up. When I leave my
computer for a couple of hours with Google left on (I have DSL), I
come back and there are 3 or 4 pop-ups waiting for me. I am at loss as
to what to do. This is more than a $2.00 question and am happy to up
the price to what it will take to get this pop-up virus out of my

Request for Question Clarification by endo-ga on 15 Dec 2003 19:19 PST

Please try running Trendmicro virus scan:

It could also be a program that you installed, that none of the
scanners are picking up. Have a look in the add/remove programs panel
for anything suspicious.


Clarification of Question by cfsandy-ga on 15 Dec 2003 21:05 PST
That did it. I went to the program add/delete and found a couple of
programs I had not seen before, especially one that was "multisearch."
No more pop-ups or unusual delays when Google comes up.

If you would like, please change your "Request for Clarification" to
an "Answer" so that I may rate it...and tip you. Thank you very much.
By the way...if I wanted to ask another question and request you to be
the one to answer it, how would I do that?...that is, if you wanted to
answer it or you were the best one to answer it...
Subject: Re: Pop-up Ad "Virus"
Answered By: endo-ga on 15 Dec 2003 21:09 PST
Hi majortom,

Thank you for your question. I'm happy that you have solved your
problem and that I was able to assist you.

I would be very glad to help you out with another issue. You can
direct a question to me by just mentionning "for endo" in the title of
the question.


Kind regards,

Clarification of Answer by endo-ga on 15 Dec 2003 22:10 PST
Sorry I don't know why I referred to you as majortom.
The answer was directed to cfsandy.
Sorry again for the confusion.


Request for Answer Clarification by cfsandy-ga on 16 Dec 2003 05:14 PST
Well, we are 90% of the way there. I woke up this morning, came to my
computer and I had 5 pop-up ads from AT&T, Motorola, Tickle Single
Dating etc. Interesting because even though I was connected to the net
via DSL and Internet Explorer, I had my ACT! program on the
moniter...but still the pop-up ads came through and were on the
monitor. Whoops here comes another about Earthlink pop-up for
"ExitExchange Orbit Ad - Microsoft Internet Explorer."

Went to add/remove programs and I see one that says "Windows Media
Player Hotfix" and then there are a total of 32 programs that say
"Windows XP Hotfix (SP2) Q814995" with each one having a different
Qxxxxxxx number.

Well, dah, should have seen this last night. I thought they were
related to the XP upgrade I did a month ago but am 99% sure they are
what are doing the "volunteer" pop-up ads. I will await your reply
before I remove them just in case they are related to the XP
update...but I am quite sure this is the problem.

Clarification of Answer by endo-ga on 16 Dec 2003 07:19 PST

Please have a look here:

random popups, here is the hijackthis log

The person seems to have the same problem as you do, and they solved
it using HijackThis. Could you please have another go at running it,
and publish the log once it's finished?

You do not want to remove the Hotfix items. These are patches for
Windows issued by Microsoft.

Another question, are these Internet Explorer style Windows popups
that look like browser windows or are they system style popups?


Request for Answer Clarification by cfsandy-ga on 16 Dec 2003 12:01 PST
Hi Endo,

The HijackThis log is:

Logfile of HijackThis v1.97.7
Scan saved at 1:59:35 PM, on 12/16/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\ACT\act.exe
C:\Program Files\Qualcomm\Eudora Mail\Eudora.exe
C:\Program Files\AproposClient\Apropos.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PowerZip 6.5\PowerZip.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} 

- (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} 

- (no file)
O1 - Hosts: search.netscape.com12.129.205.209
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:

\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:

\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:

\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:

\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C7F06285-E466-4A7C-8B7C-E2064EEE7E00} - C:

\WINDOWS\System32\6bto4svc.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} 

- C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog 

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32

O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!

\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD 

Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.

O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program 

Files\ScanSoft\PDF Converter\RegistryController.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3

\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [52K6SAN2@777#@] C:\WINDOWS\System32\Kbj6.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\\InstallStub

.exe -a
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program 

O4 - Global Startup: Controller.LNK = C:\Program 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft 

O8 - Extra context menu item: Open PDF in Word - res://C:\Program 

Files\ScanSoft\PDF Converter\IEShellExt.dll /100
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet 

O16 - DPF: DigiChat Applet -

O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver 

Class) -

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX 

Control) -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX 

Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus 

scanner) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) 

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update 

Installation Engine) -

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI 

Registry Information Class) -

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload 

Tool) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash 

Object) -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) 

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj 

Class) -

Clarification of Answer by endo-ga on 16 Dec 2003 15:25 PST

Can you please investigate the following files:

1-) C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

I have Norton AV and don't have such a file.

2-) C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

This one looks weird.

3-) C:\WINDOWS\Plaxo\\InstallStub.exe

Do you use Plaxo? It seems kind of useless.

4-) C:\WINDOWS\System32\NvfwGL.exe

No idea what this is.

5-) C:\WINDOWS\System32\Geke3M.exe

No idea what this is.

6-) C:\Program Files\AproposClient\Apropos.exe

This is the biggest suspect. There isn't a lot of information about
it, but it seems to be your culprit.

Please look here for a topic with someone with the same problem and
same file running:

Subject: pop ups at work

Please run:


Please try the suggestions of the other users.

7-) \Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:

Same as above.

Please try and remove Apropos then we can have another look at a log.

Subject: Re: Pop-up Ad "Virus"
From: majortom-ga on 15 Dec 2003 06:11 PST
In addition to the above suggestions, which are definitely sound, you
should also install AdAware. There is a free edition available. While
Spybot is also good, AdAware was the application that finally
succeeded in removing <b>all</b> of the horrible adware that afflicted
my copy of Internet Explorer a few months back.

AdAware Standard Edition

Also, before running a scan with either Spybot or AdAware, you must
explicitly click on the "update" button to fetch up-to-date
information from the web sites of the authors. Otherwise, there is
little value in running either program, as new security holes in IE
and new invasive adware appear all the time. As of my most recent
experience, neither program does the "update" operation automatically,
so do not take it for granted, make sure you click that button before
doing a scan to remove adware. Good luck!
Subject: Re: Pop-up Ad "Virus"
From: ac67-ga on 15 Dec 2003 07:32 PST
You might also consider whether you have recently installed anything
that might be causing this.  I had the same problem, and had recently
installed a program that displayed current weather info on the task
bar (unfortunately, I can't remember which one, because there are
services out there that accomplish this without all the ads).  I
didn't see any warning that it would cause this behavior, but after I
uninstalled it things worked fine.  And neither Ad-aware or Spybot
caught it.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy