Google Answers: Pop-up Ad "Virus"

View Question

Q: Pop-up Ad "Virus" ( Answered, 2 Comments )

Question

Subject: Pop-up Ad "Virus"
Category: Computers > Internet
Asked by: cfsandy-ga
List Price: $2.00

Posted: 14 Dec 2003 18:22 PST
Expires: 13 Jan 2004 18:22 PST
Question ID: 287182

Every time I log into Google I immediately get 1 or 2 pop up adds. Then when I go to another web site, I get 1 or 2 pop-up ads ALWAYS. This just started a couple of days ago. I have a pop-up ad "virus." Pop-ups include Expedia, Single Dating, Axis Point Financial, Traffic Venue Network, etc. Something put this in my system...how do I get it out? I have run Ad-Aware 6.0 and deletted cookies and temporary internet files and it is still there.
Request for Question Clarification by endo-ga on 14 Dec 2003 22:01 PST Hi, Please try running the following: Spybot http://www.safer-networking.org/ Hijack This http://mjc1.com/mirror/hjt/ Thanks. endo
Clarification of Question by cfsandy-ga on 15 Dec 2003 08:30 PST Thank you for the clarification and both comments. I have run spybot and removed 100% of any program that they mention...I ran Adware 6.0...and removed anything they mentioned including the Weatherbug program...and I still get 2 to 3 pop-ups for University of Phoenix, Expedia, CheapTickets, Tickle Matchmaking, etc every time I go to a new web site. But...I will update each program and totally uninstall the Weatherbug...and see if this clears up the problem. Also one of the dominant pop-ups is from TrafficMarketPlace.com and I have a call into their sales department (the only phone number they supply) to see how I can remove their irratating pop-up adds.
Clarification of Question by cfsandy-ga on 15 Dec 2003 19:09 PST Grrrr...I have updated Spybot and Ad-Ware 6.0 and uninstalled WeatherBug. Then ran Spybot and Ad-Ware...then rebooted my computer and ran each of them again eliminating 100% of what was there. The last time each had nothing to eliminate. And...when I clicked Google..up came a pop-up. Then every 2nd time or so when I would surf to a new web page..up would come another pop-up. When I leave my computer for a couple of hours with Google left on (I have DSL), I come back and there are 3 or 4 pop-ups waiting for me. I am at loss as to what to do. This is more than a $2.00 question and am happy to up the price to what it will take to get this pop-up virus out of my computer.
Request for Question Clarification by endo-ga on 15 Dec 2003 19:19 PST Hi, Please try running Trendmicro virus scan: http://housecall.trendmicro.com It could also be a program that you installed, that none of the scanners are picking up. Have a look in the add/remove programs panel for anything suspicious. Thanks. endo
Clarification of Question by cfsandy-ga on 15 Dec 2003 21:05 PST That did it. I went to the program add/delete and found a couple of programs I had not seen before, especially one that was "multisearch." No more pop-ups or unusual delays when Google comes up. If you would like, please change your "Request for Clarification" to an "Answer" so that I may rate it...and tip you. Thank you very much. By the way...if I wanted to ask another question and request you to be the one to answer it, how would I do that?...that is, if you wanted to answer it or you were the best one to answer it...

Answer

Subject: Re: Pop-up Ad "Virus"
Answered By: endo-ga on 15 Dec 2003 21:09 PST

Hi majortom, Thank you for your question. I'm happy that you have solved your problem and that I was able to assist you. I would be very glad to help you out with another issue. You can direct a question to me by just mentionning "for endo" in the title of the question. Thanks. Kind regards, endo
Clarification of Answer by endo-ga on 15 Dec 2003 22:10 PST Sorry I don't know why I referred to you as majortom. The answer was directed to cfsandy. Sorry again for the confusion. Thanks. endo
Request for Answer Clarification by cfsandy-ga on 16 Dec 2003 05:14 PST Well, we are 90% of the way there. I woke up this morning, came to my computer and I had 5 pop-up ads from AT&T, Motorola, Tickle Single Dating etc. Interesting because even though I was connected to the net via DSL and Internet Explorer, I had my ACT! program on the moniter...but still the pop-up ads came through and were on the monitor. Whoops here comes another about Earthlink pop-up for "ExitExchange Orbit Ad - Microsoft Internet Explorer." Went to add/remove programs and I see one that says "Windows Media Player Hotfix" and then there are a total of 32 programs that say "Windows XP Hotfix (SP2) Q814995" with each one having a different Qxxxxxxx number. Well, dah, should have seen this last night. I thought they were related to the XP upgrade I did a month ago but am 99% sure they are what are doing the "volunteer" pop-up ads. I will await your reply before I remove them just in case they are related to the XP update...but I am quite sure this is the problem.
Clarification of Answer by endo-ga on 16 Dec 2003 07:19 PST Hi, Please have a look here: random popups, here is the hijackthis log http://forums.spywareinfo.com/index.php?showtopic=7840 The person seems to have the same problem as you do, and they solved it using HijackThis. Could you please have another go at running it, and publish the log once it's finished? You do not want to remove the Hotfix items. These are patches for Windows issued by Microsoft. Another question, are these Internet Explorer style Windows popups that look like browser windows or are they system style popups? Thanks. endo
Request for Answer Clarification by cfsandy-ga on 16 Dec 2003 12:01 PST Hi Endo, The HijackThis log is: Logfile of HijackThis v1.97.7 Scan saved at 1:59:35 PM, on 12/16/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ISS\BlackICE\blackd.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\SCANJET\PrecisionScanPro\HPLamp.exe C:\WINDOWS\System32\kmw_run.exe C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe C:\WINDOWS\System32\wfxsnt40.exe C:\WINDOWS\Plaxo\1.3.1.132\InstallStub.exe C:\WINDOWS\System32\KMW_SHOW.EXE C:\Program Files\ISS\BlackICE\blackice.exe C:\Program Files\Symantec\WinFax\WFXCTL32.EXE C:\Program Files\Microsoft Office\Office\1033\msoffice.exe C:\WINDOWS\System32\NvfwGL.exe C:\WINDOWS\System32\Geke3M.exe C:\Program Files\Symantec\WinFax\WFXMOD32.EXE C:\Program Files\ACT\act.exe C:\Program Files\Qualcomm\Eudora Mail\Eudora.exe C:\PROGRA~1\ACT\DrvWd6.wpi C:\PROGRA~1\ACT\ActEmail.exe C:\PROGRA~1\ACT\actwp.wpi C:\Program Files\AproposClient\Apropos.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\PowerZip 6.5\PowerZip.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\PowerZip.tmp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http ://yahoo.sbc.com/dsl R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C: \Program Files\AproposClient\AproposPlugin.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C: \Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C: \Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {C7F06285-E466-4A7C-8B7C-E2064EEE7E00} - C: \WINDOWS\System32\6bto4svc.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32 \spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo! \Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32. exe O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter\RegistryController.exe" O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3 \QDCSFS.exe /scheduler O4 - HKLM\..\Run: [52K6SAN2@777#@] C:\WINDOWS\System32\Kbj6.exe O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.3.1.132\InstallStub .exe -a O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\PDF Converter\IEShellExt.dll /100 O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: DigiChat Applet - http://host.digichat.com//DigiChat/ DigiClasses/Client_IE.cab O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3. cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/ sw.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/ MiniBugTransporter.cab? O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/ AvSniff.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yse/yinst.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/ content/opuc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37595. 4888194444 O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload. ipbill.com/del/loader.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/ SharedContent/common/bin/cabsa.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/ swflash.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
Clarification of Answer by endo-ga on 16 Dec 2003 15:25 PST Hi, Can you please investigate the following files: 1-) C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe I have Norton AV and don't have such a file. 2-) C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe This one looks weird. 3-) C:\WINDOWS\Plaxo\1.3.1.132\InstallStub.exe Do you use Plaxo? It seems kind of useless. 4-) C:\WINDOWS\System32\NvfwGL.exe No idea what this is. 5-) C:\WINDOWS\System32\Geke3M.exe No idea what this is. 6-) C:\Program Files\AproposClient\Apropos.exe This is the biggest suspect. There isn't a lot of information about it, but it seems to be your culprit. Please look here for a topic with someone with the same problem and same file running: Subject: pop ups at work http://www.computing.net/security/wwwboard/forum/8039.html Please run: CWShredder http://www.spywareinfo.com/~merijn/junk/CWShredder.exe Please try the suggestions of the other users. 7-) \Program Files\AproposClient\AproposPlugin.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: Same as above. Please try and remove Apropos then we can have another look at a log. Thanks. endo

Comments

Subject: Re: Pop-up Ad "Virus"
From: majortom-ga on 15 Dec 2003 06:11 PST

In addition to the above suggestions, which are definitely sound, you
should also install AdAware. There is a free edition available. While
Spybot is also good, AdAware was the application that finally
succeeded in removing <b>all</b> of the horrible adware that afflicted
my copy of Internet Explorer a few months back.
See:

AdAware Standard Edition
http://www.lavasoft.de/support/download/

Also, before running a scan with either Spybot or AdAware, you must
explicitly click on the "update" button to fetch up-to-date
information from the web sites of the authors. Otherwise, there is
little value in running either program, as new security holes in IE
and new invasive adware appear all the time. As of my most recent
experience, neither program does the "update" operation automatically,
so do not take it for granted, make sure you click that button before
doing a scan to remove adware. Good luck!

Subject: Re: Pop-up Ad "Virus"
From: ac67-ga on 15 Dec 2003 07:32 PST

You might also consider whether you have recently installed anything
that might be causing this.  I had the same problem, and had recently
installed a program that displayed current weather info on the task
bar (unfortunately, I can't remember which one, because there are
services out there that accomplish this without all the ads).  I
didn't see any warning that it would cause this behavior, but after I
uninstalled it things worked fine.  And neither Ad-aware or Spybot
caught it.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy