Google Answers Logo
View Question
 
Q: Get Rid of My Popups! ( No Answer,   7 Comments )
Question  
Subject: Get Rid of My Popups!
Category: Computers > Security
Asked by: emorich-ga
List Price: $35.00
Posted: 02 Nov 2005 17:20 PST
Expires: 02 Dec 2005 17:20 PST
Question ID: 588209
I have Windows XP. I recently received an email from a friend that
contained an exe file. I downloaded it and ran it only to get another
email from her warning me not to, because it was a malware program.
Since then popups have been rearing their ugly head on my computer,
day and night. In order to get rid of them I have run the latest
versions of ad-aware, spybot, the trend micro online scan, AntiVir XP,
and PC-cillen. I have looked through most of the files on my startup,
running, and services menu on WinPatrol and I have run hijack. I have
even called a friend of mine who works in a company that is solely
devoted to getting rid of adware and spyware and had him walk me
through a way to get rid of this program, but all to no avail. No
matter what I do, they keep coming, and they are disrupting everything
I try to do. I also worry that passwords and privacy information may
be lost to them. I am doubly worried because I am in the process of
filling out college applications and I enter in my social security
number, as well as a great deal of other information including credit
card information, on a daily basis. Is there anything I haven?t tried
that might save my computer? By the way, i use Opera v8.5 instead of
IE.

Clarification of Question by emorich-ga on 02 Nov 2005 17:24 PST
I am a plus member of winpatrol, and i have used the plus information
on most of the things listed, but it says they are all safe. also,
theres a typo, it was supposed to say hijack this. i also put the
hijack this logfile onto the internet site that another answer
question reccomended, and fixed the things that it said were bad.

Request for Question Clarification by watershed-ga on 02 Nov 2005 17:54 PST
Hello emorich,

What sites are the pop-ups directing you to?  Any information about
the exaxt nature of the malware, such as internet addresses, strange
behaviour, odd names, odd processes will help.  Have your tried
Spyware Doctor?  It has a very comprehensive scan which has helped me
in the past, but it isn't free.  Also, while you know your computer is
compromised I would recommend that you do all information-sensitive
tasks on another PC, or if that isn't possible, create a new partition
on your hard drive and install a temporary OS on that for now.

Clarification of Question by emorich-ga on 02 Nov 2005 18:56 PST
they are a variety of different places.
http://www.virtual-free.com/normal/yyy65.html
http://www.jamster.com/s/jiw/html/affiliate/om/us/buy_this_real_tone/index.htm?tduid=3fd01e7ff310943a67bec787371276da
http://www.super-stock.com/normal/XBCYUS.html
http://www.starware.com/2.0.0.0/landing/weather/weather_01.php?banner=w0001&aff_id=weatherazoogle
http://www.deal-mobile.com/normal/yyy65.html
http://www.searc-h.com/normal/XBDYUS.html
http://www.searc-h.com/normal/yyy65.html
http://www.great-coupon.com/normal/yyy65.html
http://www.free-savings.com/normal/XBDYUS.html
http://www.discount-home.com/normal/XBDYUS.html
These are just a few of the site, though they all seem to be sending
me different places. I have not tried spyware doctor, but I am trying
to keep the price to a minimum if at all possible, and there is no
guarantee that it will work, especially since nothing so far has. I?ve
looked through the running tasks and services on Winpatrol, and while
I didn?t notice anything strange, I may have missed something. Other
than that and a bit of sluggishness there has been no strange behavior
that I can tell.

Clarification of Question by emorich-ga on 02 Nov 2005 19:10 PST
Update:
i went to spy doctor's site and downloaded the trial version and
scanned with it. it found a lot of risks, but the other programs did
too. it also won't fix them without registering. here are the results
of the scan:
Scan Results:

scan start:	11/2/2005 9:56:17 PM	
scan stop:	11/2/2005 10:04:04 PM	
scanned items:	67180	
found items:	130	
found and ignored:	0	
tools used:	General Scanner, Process Scanner, Hosts scanner, LSP
Scanner, Registry Scanner, Browser Defaults, Favorites and ZoneMap
Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner
Infection Name	Location	Risk	
AproposMedia	rundll32.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	Explorer.EXE (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	jusched.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	wscntfy.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	iTunesHelper.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	pccguide.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	PCCClient.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	Pop3trap.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	winpatrol.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	qttask.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	Ares.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	memturbo.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	iexplore.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	Opera.exe (C:\WINDOWS\system32\himbrand.dll)	Medium	
AproposMedia	WINWORD.EXE (C:\WINDOWS\system32\himbrand.dll)	Medium	
180search Assistant	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}	Elevated
180search Assistant	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}\iexplore	Elevated
Common Components Unrelated	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807}	Medium
Common Components Unrelated	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807}\iexplore	Medium
InternetOptimizer	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8}	High
InternetOptimizer	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\iexplore	High
LinkMaker Hijacker	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}	Elevated
LinkMaker Hijacker	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}\iexplore	Elevated
SideFind	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}	Elevated
SideFind	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\iexplore	Elevated
UCmore toolbar	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44BE0690-5429-47F0-85BB-3FFD8020233E}	Info
& PUAs
UCmore toolbar	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44BE0690-5429-47F0-85BB-3FFD8020233E}\iexplore	Info
& PUAs
YourSiteBar	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}	High
YourSiteBar	HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\iexplore	High
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\1mm-opp-tg-turkey-120x60-05[1].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\Body[2].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\index[2].htm	Elevated
VX2.Look2Me	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\yyy65[1].htm	High
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\v4flash[1].js	High
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\10640-xbox360_300_boxbushfla[1].swf	Elevated
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\get[1].media	High
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\index[3].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\index[2].htm	Elevated
Starware	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\weather_01[1].htm	Low
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\CAWP2Z4P.swf	High
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\index[1].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\Body[1].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\emailHygiene[1].js	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\1mm-opp-tg-turkey-120x60-07[1].gif	Elevated
Starware	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\weather_01[1].gif	Low
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\emailHygiene[1].js	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\1mm-opp-tg-turkey-120x60-07[3].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\index[3].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\index[1].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\index[5].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\1mm-opp-tg-turkey-120x60-05[1].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\index[1].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\10640-xbox360_300_boxbushfla[1].swf	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\1mm-opp-tg-turkey-120x60-06[1].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\1mm-opp-tg-turkey-120x60-07[2].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\index[2].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\1mm-opp-tg-turkey-120x60-05[2].gif	Elevated
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\CA8P6DFC.htm	High
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\get[2].media	High
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\300_4_clean[1].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\Top[1].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\index[4].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\Top[1].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\Top[1].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\index[6].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\index[8].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\Body[1].gif	Elevated
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\trans[1].gif	High
Starware	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\hbx[1].js	Low
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\index[7].htm	Elevated
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\resizedflashimg[1].gif	High
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\Track[1].9866129904042342	High
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\Track[1].08800180659425916	High
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\1mm-opp-tg-turkey-120x60-06[2].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\index[3].htm	Elevated
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\KCPN9M2I\300X250_cursor3_aug8[1].swf	High
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\index[4].htm	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\1mm-opp-tg-turkey-120x60-06[1].gif	Elevated
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\emailHygiene[1].js	Elevated
Starware	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\OTAV4XYB\starware[1].css	Low
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\nintendo_metroid_300x250_badboy_banner_V2[1].swf	High
Affiliated with Browser
Hijackers	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\4HQNIR0R\10640-xbox360_300_boxbushfla[1].swf	Elevated
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet
Files\Content.IE5\LXITEX9Z\PRScript[1].dll	High
Starware	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Cookies\joshua
welt@www.starware[1].txt	Low
Known Bad Sites	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Cookies\joshua
welt@ads.pointroll[1].txt	High
Starware	C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Cookies\joshua
welt@h.starware[1].txt	Low
Tracking Cookie(s)	C:\Documents and Settings\Joshua
Welt\Cookies\joshua welt@xiti[1].txt (Remnant)	Medium
Tracking Cookie(s)	C:\Documents and Settings\Joshua
Welt\Cookies\joshua welt@gamespy[1].txt (Remnant)	Medium
Tracking Cookie(s)	C:\Documents and Settings\Joshua
Welt\Cookies\joshua welt@ccbill[1].txt (Remnant)	Medium
Advertising	C:\Documents and Settings\Joshua Welt\Cookies\joshua
welt@adopt.hbmediapro[1].txt (Remnant)	Low
Tracking Cookie(s)	C:\Documents and Settings\Joshua
Welt\Cookies\joshua welt@fileinfo[1].txt (Remnant)	Medium
Tracking Cookie(s)	C:\Documents and Settings\Joshua
Welt\Cookies\joshua welt@fileplanet[1].txt (Remnant)	Medium
ISTbar	C:\Documents and Settings\Joshua Welt\Cookies\joshua
welt@ysbweb[1].txt (Remnant)	High
Known Bad Sites	C:\Documents and Settings\Joshua Welt\Cookies\joshua
welt@partner2profit[1].txt (Remnant)	High
Known Bad Sites	C:\Documents and Settings\Joshua Welt\Cookies\joshua
welt@orbitz.rpts[1].txt (Remnant)	High
Tracking Cookie(s)	C:\Documents and Settings\Joshua
Welt\Cookies\joshua welt@rn11[2].txt (Remnant)	Medium
CWS.XPSystem	C:\Documents and Settings\Joshua Welt\Cookies\joshua
welt@searchportal.information[1].txt (Remnant)	Medium
Zestyfind	C:\WINDOWS\icont.exe	Elevated	
Zestyfind	C:\WINDOWS\iconu.exe	Elevated	
Zestyfind	C:\Documents and Settings\Joshua Welt\Local
Settings\Temporary Internet
Files\Content.IE5\C5GMZ1KL\AppWrap[1].exe	Elevated
Zestyfind	C:\Documents and Settings\Joshua Welt\Local
Settings\Temporary Internet
Files\Content.IE5\GT6VG9IR\AppWrap[1].exe	Elevated
Zestyfind	C:\Documents and Settings\Joshua Welt\Local
Settings\Temporary Internet
Files\Content.IE5\S5EN8D6N\AppWrap[1].exe	Elevated
ClearSearch	C:\System Volume
Information\_restore{0570B96F-2818-403D-AC32-718C0E3B646C}\RP1\A0000006.dll	High
ClearSearch	C:\System Volume
Information\_restore{0570B96F-2818-403D-AC32-718C0E3B646C}\RP1\A0000007.exe	High
Transponder.Ceres	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019036.inf	High
Trojan.Stubby	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019038.inf	High
Trojan.Stubby	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019039.ini	High
ILookup.Begin2Search	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019044.ico	High
ILookup.Begin2Search	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019045.ico	High
AproposMedia	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019060.dll	Medium
LinkMaker Hijacker	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019074.exe	Elevated
ClearSearch	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP126\A0020052.DLL	High
ClearSearch	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP126\A0020053.DLL	High
ClearSearch	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP126\A0020054.dll	High
ClearSearch	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP126\A0020055.exe	High
TargetSavers	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP135\A0020833.dll	High
TargetSavers	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP135\A0020836.exe	High
TargetSavers	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP135\A0020844.exe	High
UCmore toolbar	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP135\A0020846.exe	Info
& PUAs
VX2.Look2Me	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021153.exe	High
SahAgent	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021166.exe	Elevated
Transponder.DLMax	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021168.exe	High
ILookup.Begin2Search	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021188.ico	High
ILookup.Begin2Search	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021191.ico	High
SahAgent	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021194.exe	Elevated
ILookup.Begin2Search	C:\System Volume
Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021197.ico	High
Common Components for 180Solutions items	C:\temp\salmau.dat	Elevated	
Common Components for 180Solutions items	C:\temp\salm_kyf.dat	Elevated	
AproposMedia	C:\WINDOWS\system32\himbrand.dll	Medium	
Zestyfind	C:\WINDOWS\Temp\bw2.com	Elevated	

Other Sections:

Request for Question Clarification by elmarto-ga on 03 Nov 2005 04:28 PST
Hello emorich!,
I recently had a similar experience and was able to solve it, so don't
panic yet :) First of all, I would need to know whether the
anti-spyware programs you ran (ad-aware, etc) actually reported
removing the malware, even though you're still experiencing the
problem.

Best regards,
elmarto

Clarification of Question by emorich-ga on 03 Nov 2005 13:17 PST
most of them did, yes. and i deleted them.

Request for Question Clarification by elmarto-ga on 03 Nov 2005 15:01 PST
Hello emorich,
If all the adware cleaning applications you've tried have failed, you
may want to try using the System Restore feature of Windows XP. This
will return your computer to a previous state (just like it was before
running the malware) without losing any personal data files. Here's a
simple tutorial from Microsoft on how to use it:

Use System Restore to Undo Changes if Problems Occur
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx

After restoring the system, run again an anti-adware software and have
it remove anything it finds.

Please let me know if this solution worked for you, so I can post it as an answer.

Best regards,
elmarto

Clarification of Question by emorich-ga on 03 Nov 2005 19:21 PST
**sigh** i think i have a bigger problem that i thought. even after
restoring to two weeks ago, they still keep coming. i eventually undid
everthing, as it didnt work at all. im wracking my brain to figure out
where it could be hiding that a system restore wouldnt kill it. is it
possible for it to infect the bios? if it did, how do i fix that?

Request for Question Clarification by pafalafa-ga on 03 Nov 2005 19:31 PST
Maybe I read over the comments here too fast, but I didn't notice you
mention two of the most simple things that should part of your
clean-up attempts:

--use the "add or programs" feature in your control panel to look over
what's listed, and delete anything that looks hinky

--use msconfig to check your start-up list of programs, and uncheck
anything that doesn't belong


You might also want to find a copy of BHODemon freeware, and use it as
yet another anti-spyware sweep:


http://www.definitivesolutions.com/bhodemon.htm


Good luck...let us know how it works (or doesn't!)


pafalafa-ga

Clarification of Question by emorich-ga on 03 Nov 2005 19:42 PST
I had tried using add/remove programs and checking the startups menu
in msconfig (though i did it through winpatrol). i tried that program,
but that didn't work either. buying an external hard drive, saving the
things i want and wiping everything else would work, but i really
REALLY don't want to do that, so only if there is no other way.

Request for Question Clarification by pafalafa-ga on 03 Nov 2005 20:26 PST
I was told by a trustworthy source that this was one of the best
how-to sites around for fixing a corrupted system:


http://www.malwarehelp.org/how-to-curepart-1-using-avat-software.html


I don't have any personal experience with the site, but it looks quite
professional to me just the same.


Step through the process (it may take the better part of a day) and
let us know how it works out.


paf

Clarification of Question by emorich-ga on 06 Nov 2005 11:57 PST
i used that link, and the walkthrough was comprehensive, but i had
done almost all of it already. the only thing new was the part about
rootkits, which i had never heard of. so i downloaded the program it
suggested, RootKitRevealer, and ran it. it gave me the following log:

HKLM\SOFTWARE\CrjVmABFMl7n	10/26/2005 9:46 PM	0 bytes	Hidden from Windows API.
HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackTime	11/6/2005
2:46 PM	4 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackIP	11/6/2005
2:46 PM	28 bytes	Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackPort	11/6/2005
2:46 PM	10 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PDFBIOS	10/26/2005 9:46
PM	0 bytes	Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\PDFbios	11/6/2005 2:07 PM	0
bytes	Hidden from Windows API.
C:\Program Files\Insvices	10/26/2005 10:46 PM	0 bytes	Hidden from Windows API.
C:\Program Files\Insvices\ACE.DLL	10/26/2005 10:46 PM	568.00 KB	Hidden
from Windows API.
C:\Program Files\Insvices\AI_01-11-2005.log	11/2/2005 2:00 AM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_02-11-2005.log	11/2/2005 8:23 PM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_03-11-2005.log	11/3/2005 2:00 AM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_04-11-2005.log	11/5/2005 12:42 AM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_05-11-2005.log	11/6/2005 11:15 AM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_06-11-2005.log	11/6/2005 2:05 PM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_31-10-2005.log	11/1/2005 2:00 AM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\Cache	10/26/2005 10:46 PM	0 bytes	Hidden
from Windows API.
C:\Program Files\Insvices\NTSSSMGR.EXE	10/26/2005 10:46 PM	912.00
KB	Hidden from Windows API.
C:\Program Files\Insvices\NVITHEME.EXE	10/26/2005 10:46 PM	160.00
KB	Hidden from Windows API.
C:\Program Files\Insvices\WinGenerics.dll	10/26/2005 10:46 PM	576.00
KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\DRIVERS\IP62MTAG.SYS	10/26/2005 10:46 PM	12.00
KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\RDOLSAPI.EXE	10/26/2005 10:46 PM	460.00 KB	Hidden
from Windows API.

I have absolutly no idea what this means. i also don't know what to do
if i did know. the program doesn't give you the option of deleting the
files, but it does give you a path. i could delete them manually i
guess, but if that was the solution it would probably have given the
option. what should i do now?

Request for Question Clarification by pafalafa-ga on 09 Nov 2005 20:04 PST
emorich-ga,

How's it going...any progress?


One more thing you might want to try:


http://www.microsoft.com/athome/security/spyware/software/default.mspx


It's pretty new, and I've no direct experience with it myself, but it
seems worth a shot...


Let me know how it works out.


paf

Clarification of Question by emorich-ga on 11 Nov 2005 19:56 PST
Reading the most recent request for clarification, along with the fact
that it has been a very long time since your last post, i beleive that
you may have not seen my last responce, so i will repost it. i also do
not want to download a new program to try and deal with my popups
until i am sure that what i have done so far has not worked. here is
my previous post:

Clarification of Question by emorich-ga on 06 Nov 2005 11:57 PST 
i used that link, and the walkthrough was comprehensive, but i had
done almost all of it already. the only thing new was the part about
rootkits, which i had never heard of. so i downloaded the program it
suggested, RootKitRevealer, and ran it. it gave me the following log:

HKLM\SOFTWARE\CrjVmABFMl7n	10/26/2005 9:46 PM	0 bytes	Hidden from Windows API.
HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackTime	11/6/2005
2:46 PM	4 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackIP	11/6/2005
2:46 PM	28 bytes	Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackPort	11/6/2005
2:46 PM	10 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PDFBIOS	10/26/2005 9:46
PM	0 bytes	Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\PDFbios	11/6/2005 2:07 PM	0
bytes	Hidden from Windows API.
C:\Program Files\Insvices	10/26/2005 10:46 PM	0 bytes	Hidden from Windows API.
C:\Program Files\Insvices\ACE.DLL	10/26/2005 10:46 PM	568.00 KB	Hidden
from Windows API.
C:\Program Files\Insvices\AI_01-11-2005.log	11/2/2005 2:00 AM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_02-11-2005.log	11/2/2005 8:23 PM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_03-11-2005.log	11/3/2005 2:00 AM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_04-11-2005.log	11/5/2005 12:42 AM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_05-11-2005.log	11/6/2005 11:15 AM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_06-11-2005.log	11/6/2005 2:05 PM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\AI_31-10-2005.log	11/1/2005 2:00 AM	3
bytes	Hidden from Windows API.
C:\Program Files\Insvices\Cache	10/26/2005 10:46 PM	0 bytes	Hidden
from Windows API.
C:\Program Files\Insvices\NTSSSMGR.EXE	10/26/2005 10:46 PM	912.00
KB	Hidden from Windows API.
C:\Program Files\Insvices\NVITHEME.EXE	10/26/2005 10:46 PM	160.00
KB	Hidden from Windows API.
C:\Program Files\Insvices\WinGenerics.dll	10/26/2005 10:46 PM	576.00
KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\DRIVERS\IP62MTAG.SYS	10/26/2005 10:46 PM	12.00
KB	Hidden from Windows API.
C:\WINDOWS\SYSTEM32\RDOLSAPI.EXE	10/26/2005 10:46 PM	460.00 KB	Hidden
from Windows API.

I have absolutly no idea what this means. i also don't know what to do
if i did know. the program doesn't give you the option of deleting the
files, but it does give you a path. i could delete them manually i
guess, but if that was the solution it would probably have given the
option. what should i do now?

Request for Question Clarification by pafalafa-ga on 11 Nov 2005 20:06 PST
emorich-ga,

Regarding the rootkits, you wrote:  <<I have absolutly no idea what this means...>>


That makes two of us!  Wish I could help with the rootkits, but I'm
just not familiar with that software and (frankly) not quite willing
to download it and begin playing around.

The Microsoft spyware software is a pretty new addition to the
arsenal, and is reportedly a good tool that is kept up-to-date as new
threats emerge.  May be worth a shot.

Wish I could provide some more definitive assistance, but as you've no
doubt gathered by now, some of these bugs can be the dickens to get
rid of, and there's a large amount of trial and error that has to
happen before one (hopefully) succeeds.

Best of luck,

paf

Clarification of Question by emorich-ga on 18 Nov 2005 11:33 PST
i have not yet used the program recommended because for some reason
the popups have suddenly stopped. what's strange is that they seem to
have stopped of their own volition. i did not scan or delete anything
that i can think of, and suddenly my computer is working fine again. i
thought it was only temporary, but  as of a few days after my last
post, i have had no popups. i'm still a little worried about security,
but at the same time i am afraid to rock the boat and scan or
anything. maybe i'm just being paraniod. what would you recommend?

Request for Question Clarification by pafalafa-ga on 22 Nov 2005 09:35 PST
If things are still working as you'd like them to, I'd say just leave things be.

Like they say, If it ain't broke...don't fix it.

You may want to review your system security, and think about what
anti-spyware strategies and software to use to minimize future
problems.

Good luck.


paf
Answer  
There is no answer at this time.

Comments  
Subject: Re: Get Rid of My Popups!
From: onetone-ga on 03 Nov 2005 19:20 PST
 
it seems that you've tried most of the things which should work and
rid you of your popups.  I would say that you should have your hard
drive formated completely rather than a restore.  If the most popular
tools are not removing the problem you should begin with a clean
slate.  A complete format of your system is what is required.
Subject: Re: Get Rid of My Popups!
From: aldamar-ga on 03 Nov 2005 20:14 PST
 
Also, should note for the sake of it. You asked about if its possible
something got into your BIOS - it happens, sure. If you want to be
safe and make sure nothing is in there, tank the BIOS by removing the
CMOS battery for a good while. That should reset everything to factory
default settings.

You can, of course, flash it and do a firmware upgrade too if you feel brave.

Good luck!

- Aldamar
Subject: Re: Get Rid of My Popups!
From: llbbl-ga on 04 Nov 2005 12:39 PST
 
Hi emorich,

Here is what you need to do in order to save your computer. I will
outline what you need to do in as little as three easy steps.

Since you already have tried a online virus scan and it has found
nothing than what it really means is that the scanner just hasn't
found the right thing that is infecting your computer. It doesn't
sound like a virus but it could be doing the popups to mask other
activity. I wouldn't do anything requring sensitive information such
as filling out college applications until you get the problem fixed.

The problem with spyware and adware everyone has a recommendation that
they think will work for you, about some program that they got to work
for them in the past. The reality there are only a handful of programs
that have active communities behind them staying on the forefront of
what is required to remove these infections on your computer. The next
problem is that many of these programs are complicated to use and you
are never sure if something is safe to remove or not.

To solve both of these problems there exists an automated script that
will download, install and run the most current versions/definitions
of the following programs for you. Ad-Aware, Spybot, Spy Sweeper,
Spware Doctor, CWShredder, SpywareBlaster, Spware Block List, NOD32
AntiThreat, Sysclean Package, SuperDAT VirusScan. This script is
written and developed by M. Loman te Almelo in the Netherlands called
Hitman Pro. I have used it personally and it works very well.

STEP 1) Download and Run Hitman Pro 2

Hitman Pro 2
http://www.hitmanpro.nl/

The next program that you will need to install costs money, but it is
worth it. You will need to buy a antivirus program irregardless to
protect yourself from these things happing again in the future. The
best antivirus program is called NOD32. It has the highest detection
rate and uses least amount of system resources. There is a 30 day
trial, but you should buy it since you will want to use this all the
time.

STEP 2) Purchase, Download, Install and Run NOD32

NOD32
http://www.eset.com/products/products.htm

What if it is not fixed? Now that you have just scanned your computer
with every single adware/spyware/malware detector that is available
and run the best virus scanner on the market, you can be assured that
if it isn't fixed at this point than it is not worth fixing. It is
easier to start from scratch. While it is true that you can do
recovery CD if you bought the comptuer from a company like DELL, it is
better to do just do a clean install, for a number of reasons.

If not fixed at this point:

STEP 3) Reinstall Windows 
http://www.microsoft.com/windowsxp/using/setup/expert/honeycutt_02october07.mspx
http://www.winsupersite.com/showcase/windowsxp_sg_clean.asp
http://www.pcnineoneone.com/howto/clean1.html

There now it should be fixed! Make sure you reinstall NOD32 and keep
that going. Also it is good to be behind a firewall/router. You should
buy a Linksys or Dlink router from your local computer store or
online, even if you have only one computer! The new wireless ones are
$50-$80, but you could find a wired one for $20-$30 if you looked.

Another suggestion would be to switch to Linux if you do not need the
computer for gaming. Linux has a replacement for almost every program
available for windows. I know the only reason I have windows is for
gaming =/.

-llbbl
Subject: Re: Get Rid of My Popups!
From: brownie19-ga on 15 Nov 2005 15:07 PST
 
A simple answer to this problem is too download Spysweeper. Get a free
trial and it will pick up many thjings which other programs did not
pick up!

It is a brilliant program!

http://www.webroot.com/
Subject: Re: Get Rid of My Popups!
From: ladyjay76-ga on 22 Nov 2005 08:45 PST
 
I would suggest Ewido Security Suite.
http://download.ewido.net/ewido-setup.exe
Subject: Re: Get Rid of My Popups!
From: dave247-ga on 05 Dec 2005 10:36 PST
 
Hi Emorich,

You can scan your computer for free using this website..

--> http://waiter.noadware.hop.clickbank.net

Itīs called NoAdware and it works a treat!

Hope this helps!

Dave
Subject: Re: Get Rid of My Popups! (INSVICES)
From: adillathebum-ga on 15 Jan 2006 07:04 PST
 
Hi All, this bulletin board was the only reference I could find to
INSVICES and the pain that ensues from all the bl***dy pop-ups because
of it.  I have found a way to get rid of it but I don't want to put
the answer here so the malware writers (may they ALL go to hell and
suffer real bad) know how it can be stopped.  If you'd like to know,
post a reply to this and I'll be alerted by EMail, don't forget to
include your EMail address if you'd like the fix.  If I get shed loads
of hits, I'll post it up here otherwise, I'll EMail you back with the
fix.  As an aside I'd like to say I hate malware writers with a
passion you could photograph!!  I spent over 10 hours looking for a
fix for this.  I owe a debt of gratitude to the Windows XP Registry
book by SYBEX, thanks guys.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy