Every time I log into Google I immediately get 1 or 2 pop up adds.
Then when I go to another web site, I get 1 or 2 pop-up ads ALWAYS.
This just started a couple of days ago. I have a pop-up ad "virus."
Pop-ups include Expedia, Single Dating, Axis Point Financial, Traffic
Venue Network, etc. Something put this in my system...how do I get it
out? I have run Ad-Aware 6.0 and deletted cookies and temporary
internet files and it is still there.

---

Request for Question Clarification by endo-ga on 14 Dec 2003 22:01 PST

Hi,

Please try running the following:

Spybot
http://www.safer-networking.org/

Hijack This
http://mjc1.com/mirror/hjt/


Thanks.
endo

---

Clarification of Question by cfsandy-ga on 15 Dec 2003 08:30 PST

Thank you for the clarification and both comments. I have run spybot
and removed 100% of any program that they mention...I ran Adware
6.0...and removed anything they mentioned including the Weatherbug
program...and I still get 2 to 3 pop-ups for University of Phoenix,
Expedia, CheapTickets, Tickle Matchmaking, etc every time I go to a
new web site.

But...I will update each program and totally uninstall the
Weatherbug...and see if this clears up the problem. Also one of the
dominant pop-ups is from TrafficMarketPlace.com and I have a call into
their sales department (the only phone number they supply) to see how
I can remove their irratating pop-up adds.

---

Clarification of Question by cfsandy-ga on 15 Dec 2003 19:09 PST

Grrrr...I have updated Spybot and Ad-Ware 6.0 and uninstalled
WeatherBug. Then ran Spybot and Ad-Ware...then rebooted my computer
and ran each of them again eliminating 100% of what was there. The
last time each had nothing to eliminate. And...when I clicked
Google..up came a pop-up. Then every 2nd time or so when I would surf
to a new web page..up would come another pop-up. When I leave my
computer for a couple of hours with Google left on (I have DSL), I
come back and there are 3 or 4 pop-ups waiting for me. I am at loss as
to what to do. This is more than a $2.00 question and am happy to up
the price to what it will take to get this pop-up virus out of my
computer.

---

Request for Question Clarification by endo-ga on 15 Dec 2003 19:19 PST

Hi,

Please try running Trendmicro virus scan:

http://housecall.trendmicro.com

It could also be a program that you installed, that none of the
scanners are picking up. Have a look in the add/remove programs panel
for anything suspicious.

Thanks.
endo

---

Clarification of Question by cfsandy-ga on 15 Dec 2003 21:05 PST

That did it. I went to the program add/delete and found a couple of
programs I had not seen before, especially one that was "multisearch."
No more pop-ups or unusual delays when Google comes up.

If you would like, please change your "Request for Clarification" to
an "Answer" so that I may rate it...and tip you. Thank you very much.
By the way...if I wanted to ask another question and request you to be
the one to answer it, how would I do that?...that is, if you wanted to
answer it or you were the best one to answer it...

Hi majortom,

Thank you for your question. I'm happy that you have solved your
problem and that I was able to assist you.

I would be very glad to help you out with another issue. You can
direct a question to me by just mentionning "for endo" in the title of
the question.

Thanks.

Kind regards,
endo

---

Clarification of Answer by endo-ga on 15 Dec 2003 22:10 PST

Sorry I don't know why I referred to you as majortom.
The answer was directed to cfsandy.
Sorry again for the confusion.

Thanks.
endo

---

Request for Answer Clarification by cfsandy-ga on 16 Dec 2003 05:14 PST

Well, we are 90% of the way there. I woke up this morning, came to my
computer and I had 5 pop-up ads from AT&T, Motorola, Tickle Single
Dating etc. Interesting because even though I was connected to the net
via DSL and Internet Explorer, I had my ACT! program on the
moniter...but still the pop-up ads came through and were on the
monitor. Whoops here comes another about Earthlink pop-up for
"ExitExchange Orbit Ad - Microsoft Internet Explorer."

Went to add/remove programs and I see one that says "Windows Media
Player Hotfix" and then there are a total of 32 programs that say
"Windows XP Hotfix (SP2) Q814995" with each one having a different
Qxxxxxxx number.

Well, dah, should have seen this last night. I thought they were
related to the XP upgrade I did a month ago but am 99% sure they are
what are doing the "volunteer" pop-up ads. I will await your reply
before I remove them just in case they are related to the XP
update...but I am quite sure this is the problem.

---

Clarification of Answer by endo-ga on 16 Dec 2003 07:19 PST

Hi,

Please have a look here:

random popups, here is the hijackthis log
http://forums.spywareinfo.com/index.php?showtopic=7840

The person seems to have the same problem as you do, and they solved
it using HijackThis. Could you please have another go at running it,
and publish the log once it's finished?

You do not want to remove the Hotfix items. These are patches for
Windows issued by Microsoft.

Another question, are these Internet Explorer style Windows popups
that look like browser windows or are they system style popups?

Thanks.
endo

---

Request for Answer Clarification by cfsandy-ga on 16 Dec 2003 12:01 PST

Hi Endo,

The HijackThis log is:

Logfile of HijackThis v1.97.7
Scan saved at 1:59:35 PM, on 12/16/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\SCANJET\PrecisionScanPro\HPLamp.exe
C:\WINDOWS\System32\kmw_run.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\Plaxo\1.3.1.132\InstallStub.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\NvfwGL.exe
C:\WINDOWS\System32\Geke3M.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\ACT\act.exe
C:\Program Files\Qualcomm\Eudora Mail\Eudora.exe
C:\PROGRA~1\ACT\DrvWd6.wpi
C:\PROGRA~1\ACT\ActEmail.exe
C:\PROGRA~1\ACT\actwp.wpi
C:\Program Files\AproposClient\Apropos.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PowerZip 6.5\PowerZip.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\PowerZip.tmp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about

:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http

://yahoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} 

- (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} 

- (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 

sitefinder.verisign.com
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:

\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:

\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:

\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:

\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C7F06285-E466-4A7C-8B7C-E2064EEE7E00} - C:

\WINDOWS\System32\6bto4svc.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no 

file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:

\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} 

- C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog 

Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32

\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!

\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD 

Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.

exe
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program 

Files\ScanSoft\PDF Converter\RegistryController.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3

\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [52K6SAN2@777#@] C:\WINDOWS\System32\Kbj6.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.3.1.132\InstallStub

.exe -a
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program 

Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Controller.LNK = C:\Program 

Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft 

Office\Office\OSA9.EXE
O8 - Extra context menu item: Open PDF in Word - res://C:\Program 

Files\ScanSoft\PDF Converter\IEShellExt.dll /100
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet 

Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host.digichat.com//DigiChat/

DigiClasses/Client_IE.cab
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver 

Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.

cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX 

Control) - http://download.macromedia.com/pub/shockwave/cabs/director/

sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX 

Class) - http://download.weatherbug.com/minibug/tricklers/AWS/

MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus 

scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/

AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) 

- http://download.yahoo.com/dl/installs/yse/yinst.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update 

Installation Engine) - http://office.microsoft.com/officeupdate/

content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - 

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37595.

4888194444
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.

ipbill.com/del/loader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI 

Registry Information Class) - http://security.symantec.com/sscv6/

SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload 

Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash 

Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/

swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) 

- https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj 

Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223

---

Clarification of Answer by endo-ga on 16 Dec 2003 15:25 PST

Hi,

Can you please investigate the following files:

1-) C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

I have Norton AV and don't have such a file.

2-) C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

This one looks weird.

3-) C:\WINDOWS\Plaxo\1.3.1.132\InstallStub.exe

Do you use Plaxo? It seems kind of useless.

4-) C:\WINDOWS\System32\NvfwGL.exe

No idea what this is.

5-) C:\WINDOWS\System32\Geke3M.exe

No idea what this is.

6-) C:\Program Files\AproposClient\Apropos.exe

This is the biggest suspect. There isn't a lot of information about
it, but it seems to be your culprit.

Please look here for a topic with someone with the same problem and
same file running:

Subject: pop ups at work
http://www.computing.net/security/wwwboard/forum/8039.html

Please run:

CWShredder
http://www.spywareinfo.com/~merijn/junk/CWShredder.exe

Please try the suggestions of the other users.

7-) \Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:

Same as above.


Please try and remove Apropos then we can have another look at a log.

Thanks.
endo

In addition to the above suggestions, which are definitely sound, you
should also install AdAware. There is a free edition available. While
Spybot is also good, AdAware was the application that finally
succeeded in removing <b>all</b> of the horrible adware that afflicted
my copy of Internet Explorer a few months back.
See:

AdAware Standard Edition
http://www.lavasoft.de/support/download/

Also, before running a scan with either Spybot or AdAware, you must
explicitly click on the "update" button to fetch up-to-date
information from the web sites of the authors. Otherwise, there is
little value in running either program, as new security holes in IE
and new invasive adware appear all the time. As of my most recent
experience, neither program does the "update" operation automatically,
so do not take it for granted, make sure you click that button before
doing a scan to remove adware. Good luck!

You might also consider whether you have recently installed anything
that might be causing this.  I had the same problem, and had recently
installed a program that displayed current weather info on the task
bar (unfortunately, I can't remember which one, because there are
services out there that accomplish this without all the ads).  I
didn't see any warning that it would cause this behavior, but after I
uninstalled it things worked fine.  And neither Ad-aware or Spybot
caught it.