Google Answers: Get Rid of My Popups!

View Question

Q: Get Rid of My Popups! ( No Answer, 7 Comments )

Question

Subject: Get Rid of My Popups!
Category: Computers > Security
Asked by: emorich-ga
List Price: $35.00

Posted: 02 Nov 2005 17:20 PST
Expires: 02 Dec 2005 17:20 PST
Question ID: 588209

I have Windows XP. I recently received an email from a friend that contained an exe file. I downloaded it and ran it only to get another email from her warning me not to, because it was a malware program. Since then popups have been rearing their ugly head on my computer, day and night. In order to get rid of them I have run the latest versions of ad-aware, spybot, the trend micro online scan, AntiVir XP, and PC-cillen. I have looked through most of the files on my startup, running, and services menu on WinPatrol and I have run hijack. I have even called a friend of mine who works in a company that is solely devoted to getting rid of adware and spyware and had him walk me through a way to get rid of this program, but all to no avail. No matter what I do, they keep coming, and they are disrupting everything I try to do. I also worry that passwords and privacy information may be lost to them. I am doubly worried because I am in the process of filling out college applications and I enter in my social security number, as well as a great deal of other information including credit card information, on a daily basis. Is there anything I haven?t tried that might save my computer? By the way, i use Opera v8.5 instead of IE.
Clarification of Question by emorich-ga on 02 Nov 2005 17:24 PST I am a plus member of winpatrol, and i have used the plus information on most of the things listed, but it says they are all safe. also, theres a typo, it was supposed to say hijack this. i also put the hijack this logfile onto the internet site that another answer question reccomended, and fixed the things that it said were bad.
Request for Question Clarification by watershed-ga on 02 Nov 2005 17:54 PST Hello emorich, What sites are the pop-ups directing you to? Any information about the exaxt nature of the malware, such as internet addresses, strange behaviour, odd names, odd processes will help. Have your tried Spyware Doctor? It has a very comprehensive scan which has helped me in the past, but it isn't free. Also, while you know your computer is compromised I would recommend that you do all information-sensitive tasks on another PC, or if that isn't possible, create a new partition on your hard drive and install a temporary OS on that for now.
Clarification of Question by emorich-ga on 02 Nov 2005 18:56 PST they are a variety of different places. http://www.virtual-free.com/normal/yyy65.html http://www.jamster.com/s/jiw/html/affiliate/om/us/buy_this_real_tone/index.htm?tduid=3fd01e7ff310943a67bec787371276da http://www.super-stock.com/normal/XBCYUS.html http://www.starware.com/2.0.0.0/landing/weather/weather_01.php?banner=w0001&aff_id=weatherazoogle http://www.deal-mobile.com/normal/yyy65.html http://www.searc-h.com/normal/XBDYUS.html http://www.searc-h.com/normal/yyy65.html http://www.great-coupon.com/normal/yyy65.html http://www.free-savings.com/normal/XBDYUS.html http://www.discount-home.com/normal/XBDYUS.html These are just a few of the site, though they all seem to be sending me different places. I have not tried spyware doctor, but I am trying to keep the price to a minimum if at all possible, and there is no guarantee that it will work, especially since nothing so far has. I?ve looked through the running tasks and services on Winpatrol, and while I didn?t notice anything strange, I may have missed something. Other than that and a bit of sluggishness there has been no strange behavior that I can tell.
Clarification of Question by emorich-ga on 02 Nov 2005 19:10 PST Update: i went to spy doctor's site and downloaded the trial version and scanned with it. it found a lot of risks, but the other programs did too. it also won't fix them without registering. here are the results of the scan: Scan Results: scan start: 11/2/2005 9:56:17 PM scan stop: 11/2/2005 10:04:04 PM scanned items: 67180 found items: 130 found and ignored: 0 tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Browser Defaults, Favorites and ZoneMap Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner Infection Name Location Risk AproposMedia rundll32.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia Explorer.EXE (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia jusched.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia wscntfy.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia iTunesHelper.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia pccguide.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia PCCClient.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia Pop3trap.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia winpatrol.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia qttask.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia Ares.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia memturbo.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia iexplore.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia Opera.exe (C:\WINDOWS\system32\himbrand.dll) Medium AproposMedia WINWORD.EXE (C:\WINDOWS\system32\himbrand.dll) Medium 180search Assistant HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} Elevated 180search Assistant HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}\iexplore Elevated Common Components Unrelated HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} Medium Common Components Unrelated HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807}\iexplore Medium InternetOptimizer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} High InternetOptimizer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\iexplore High LinkMaker Hijacker HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} Elevated LinkMaker Hijacker HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22}\iexplore Elevated SideFind HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} Elevated SideFind HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\iexplore Elevated UCmore toolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44BE0690-5429-47F0-85BB-3FFD8020233E} Info & PUAs UCmore toolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44BE0690-5429-47F0-85BB-3FFD8020233E}\iexplore Info & PUAs YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} High YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\iexplore High Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\1mm-opp-tg-turkey-120x60-05[1].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\Body[2].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\index[2].htm Elevated VX2.Look2Me C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\yyy65[1].htm High Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\v4flash[1].js High Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\10640-xbox360_300_boxbushfla[1].swf Elevated Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\get[1].media High Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\index[3].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\index[2].htm Elevated Starware C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\weather_01[1].htm Low Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\CAWP2Z4P.swf High Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\index[1].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\Body[1].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\emailHygiene[1].js Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\1mm-opp-tg-turkey-120x60-07[1].gif Elevated Starware C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\weather_01[1].gif Low Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\emailHygiene[1].js Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\1mm-opp-tg-turkey-120x60-07[3].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\index[3].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\index[1].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\index[5].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\1mm-opp-tg-turkey-120x60-05[1].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\index[1].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\10640-xbox360_300_boxbushfla[1].swf Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\1mm-opp-tg-turkey-120x60-06[1].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\1mm-opp-tg-turkey-120x60-07[2].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\index[2].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\1mm-opp-tg-turkey-120x60-05[2].gif Elevated Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\CA8P6DFC.htm High Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\get[2].media High Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\300_4_clean[1].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\Top[1].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\index[4].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\Top[1].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\Top[1].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\index[6].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\index[8].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\Body[1].gif Elevated Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\trans[1].gif High Starware C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\hbx[1].js Low Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\index[7].htm Elevated Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\resizedflashimg[1].gif High Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\Track[1].9866129904042342 High Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\Track[1].08800180659425916 High Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\1mm-opp-tg-turkey-120x60-06[2].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\index[3].htm Elevated Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\KCPN9M2I\300X250_cursor3_aug8[1].swf High Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\index[4].htm Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\1mm-opp-tg-turkey-120x60-06[1].gif Elevated Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\emailHygiene[1].js Elevated Starware C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\OTAV4XYB\starware[1].css Low Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\nintendo_metroid_300x250_badboy_banner_V2[1].swf High Affiliated with Browser Hijackers C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4HQNIR0R\10640-xbox360_300_boxbushfla[1].swf Elevated Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\LXITEX9Z\PRScript[1].dll High Starware C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Cookies\joshua welt@www.starware[1].txt Low Known Bad Sites C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Cookies\joshua welt@ads.pointroll[1].txt High Starware C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\Cookies\joshua welt@h.starware[1].txt Low Tracking Cookie(s) C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@xiti[1].txt (Remnant) Medium Tracking Cookie(s) C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@gamespy[1].txt (Remnant) Medium Tracking Cookie(s) C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@ccbill[1].txt (Remnant) Medium Advertising C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@adopt.hbmediapro[1].txt (Remnant) Low Tracking Cookie(s) C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@fileinfo[1].txt (Remnant) Medium Tracking Cookie(s) C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@fileplanet[1].txt (Remnant) Medium ISTbar C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@ysbweb[1].txt (Remnant) High Known Bad Sites C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@partner2profit[1].txt (Remnant) High Known Bad Sites C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@orbitz.rpts[1].txt (Remnant) High Tracking Cookie(s) C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@rn11[2].txt (Remnant) Medium CWS.XPSystem C:\Documents and Settings\Joshua Welt\Cookies\joshua welt@searchportal.information[1].txt (Remnant) Medium Zestyfind C:\WINDOWS\icont.exe Elevated Zestyfind C:\WINDOWS\iconu.exe Elevated Zestyfind C:\Documents and Settings\Joshua Welt\Local Settings\Temporary Internet Files\Content.IE5\C5GMZ1KL\AppWrap[1].exe Elevated Zestyfind C:\Documents and Settings\Joshua Welt\Local Settings\Temporary Internet Files\Content.IE5\GT6VG9IR\AppWrap[1].exe Elevated Zestyfind C:\Documents and Settings\Joshua Welt\Local Settings\Temporary Internet Files\Content.IE5\S5EN8D6N\AppWrap[1].exe Elevated ClearSearch C:\System Volume Information\_restore{0570B96F-2818-403D-AC32-718C0E3B646C}\RP1\A0000006.dll High ClearSearch C:\System Volume Information\_restore{0570B96F-2818-403D-AC32-718C0E3B646C}\RP1\A0000007.exe High Transponder.Ceres C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019036.inf High Trojan.Stubby C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019038.inf High Trojan.Stubby C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019039.ini High ILookup.Begin2Search C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019044.ico High ILookup.Begin2Search C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019045.ico High AproposMedia C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019060.dll Medium LinkMaker Hijacker C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP113\A0019074.exe Elevated ClearSearch C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP126\A0020052.DLL High ClearSearch C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP126\A0020053.DLL High ClearSearch C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP126\A0020054.dll High ClearSearch C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP126\A0020055.exe High TargetSavers C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP135\A0020833.dll High TargetSavers C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP135\A0020836.exe High TargetSavers C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP135\A0020844.exe High UCmore toolbar C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP135\A0020846.exe Info & PUAs VX2.Look2Me C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021153.exe High SahAgent C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021166.exe Elevated Transponder.DLMax C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021168.exe High ILookup.Begin2Search C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021188.ico High ILookup.Begin2Search C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021191.ico High SahAgent C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021194.exe Elevated ILookup.Begin2Search C:\System Volume Information\_restore{0C57C01E-6335-4303-98C2-30DE5D71F74F}\RP138\A0021197.ico High Common Components for 180Solutions items C:\temp\salmau.dat Elevated Common Components for 180Solutions items C:\temp\salm_kyf.dat Elevated AproposMedia C:\WINDOWS\system32\himbrand.dll Medium Zestyfind C:\WINDOWS\Temp\bw2.com Elevated Other Sections:
Request for Question Clarification by elmarto-ga on 03 Nov 2005 04:28 PST Hello emorich!, I recently had a similar experience and was able to solve it, so don't panic yet :) First of all, I would need to know whether the anti-spyware programs you ran (ad-aware, etc) actually reported removing the malware, even though you're still experiencing the problem. Best regards, elmarto
Clarification of Question by emorich-ga on 03 Nov 2005 13:17 PST most of them did, yes. and i deleted them.
Request for Question Clarification by elmarto-ga on 03 Nov 2005 15:01 PST Hello emorich, If all the adware cleaning applications you've tried have failed, you may want to try using the System Restore feature of Windows XP. This will return your computer to a previous state (just like it was before running the malware) without losing any personal data files. Here's a simple tutorial from Microsoft on how to use it: Use System Restore to Undo Changes if Problems Occur http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx After restoring the system, run again an anti-adware software and have it remove anything it finds. Please let me know if this solution worked for you, so I can post it as an answer. Best regards, elmarto
Clarification of Question by emorich-ga on 03 Nov 2005 19:21 PST sigh i think i have a bigger problem that i thought. even after restoring to two weeks ago, they still keep coming. i eventually undid everthing, as it didnt work at all. im wracking my brain to figure out where it could be hiding that a system restore wouldnt kill it. is it possible for it to infect the bios? if it did, how do i fix that?
Request for Question Clarification by pafalafa-ga on 03 Nov 2005 19:31 PST Maybe I read over the comments here too fast, but I didn't notice you mention two of the most simple things that should part of your clean-up attempts: --use the "add or programs" feature in your control panel to look over what's listed, and delete anything that looks hinky --use msconfig to check your start-up list of programs, and uncheck anything that doesn't belong You might also want to find a copy of BHODemon freeware, and use it as yet another anti-spyware sweep: http://www.definitivesolutions.com/bhodemon.htm Good luck...let us know how it works (or doesn't!) pafalafa-ga
Clarification of Question by emorich-ga on 03 Nov 2005 19:42 PST I had tried using add/remove programs and checking the startups menu in msconfig (though i did it through winpatrol). i tried that program, but that didn't work either. buying an external hard drive, saving the things i want and wiping everything else would work, but i really REALLY don't want to do that, so only if there is no other way.
Request for Question Clarification by pafalafa-ga on 03 Nov 2005 20:26 PST I was told by a trustworthy source that this was one of the best how-to sites around for fixing a corrupted system: http://www.malwarehelp.org/how-to-curepart-1-using-avat-software.html I don't have any personal experience with the site, but it looks quite professional to me just the same. Step through the process (it may take the better part of a day) and let us know how it works out. paf
Clarification of Question by emorich-ga on 06 Nov 2005 11:57 PST i used that link, and the walkthrough was comprehensive, but i had done almost all of it already. the only thing new was the part about rootkits, which i had never heard of. so i downloaded the program it suggested, RootKitRevealer, and ran it. it gave me the following log: HKLM\SOFTWARE\CrjVmABFMl7n 10/26/2005 9:46 PM 0 bytes Hidden from Windows API. HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackTime 11/6/2005 2:46 PM 4 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackIP 11/6/2005 2:46 PM 28 bytes Windows API length not consistent with raw hive data. HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackPort 11/6/2005 2:46 PM 10 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PDFBIOS 10/26/2005 9:46 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet001\Services\PDFbios 11/6/2005 2:07 PM 0 bytes Hidden from Windows API. C:\Program Files\Insvices 10/26/2005 10:46 PM 0 bytes Hidden from Windows API. C:\Program Files\Insvices\ACE.DLL 10/26/2005 10:46 PM 568.00 KB Hidden from Windows API. C:\Program Files\Insvices\AI_01-11-2005.log 11/2/2005 2:00 AM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_02-11-2005.log 11/2/2005 8:23 PM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_03-11-2005.log 11/3/2005 2:00 AM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_04-11-2005.log 11/5/2005 12:42 AM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_05-11-2005.log 11/6/2005 11:15 AM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_06-11-2005.log 11/6/2005 2:05 PM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_31-10-2005.log 11/1/2005 2:00 AM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\Cache 10/26/2005 10:46 PM 0 bytes Hidden from Windows API. C:\Program Files\Insvices\NTSSSMGR.EXE 10/26/2005 10:46 PM 912.00 KB Hidden from Windows API. C:\Program Files\Insvices\NVITHEME.EXE 10/26/2005 10:46 PM 160.00 KB Hidden from Windows API. C:\Program Files\Insvices\WinGenerics.dll 10/26/2005 10:46 PM 576.00 KB Hidden from Windows API. C:\WINDOWS\SYSTEM32\DRIVERS\IP62MTAG.SYS 10/26/2005 10:46 PM 12.00 KB Hidden from Windows API. C:\WINDOWS\SYSTEM32\RDOLSAPI.EXE 10/26/2005 10:46 PM 460.00 KB Hidden from Windows API. I have absolutly no idea what this means. i also don't know what to do if i did know. the program doesn't give you the option of deleting the files, but it does give you a path. i could delete them manually i guess, but if that was the solution it would probably have given the option. what should i do now?
Request for Question Clarification by pafalafa-ga on 09 Nov 2005 20:04 PST emorich-ga, How's it going...any progress? One more thing you might want to try: http://www.microsoft.com/athome/security/spyware/software/default.mspx It's pretty new, and I've no direct experience with it myself, but it seems worth a shot... Let me know how it works out. paf
Clarification of Question by emorich-ga on 11 Nov 2005 19:56 PST Reading the most recent request for clarification, along with the fact that it has been a very long time since your last post, i beleive that you may have not seen my last responce, so i will repost it. i also do not want to download a new program to try and deal with my popups until i am sure that what i have done so far has not worked. here is my previous post: Clarification of Question by emorich-ga on 06 Nov 2005 11:57 PST i used that link, and the walkthrough was comprehensive, but i had done almost all of it already. the only thing new was the part about rootkits, which i had never heard of. so i downloaded the program it suggested, RootKitRevealer, and ran it. it gave me the following log: HKLM\SOFTWARE\CrjVmABFMl7n 10/26/2005 9:46 PM 0 bytes Hidden from Windows API. HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackTime 11/6/2005 2:46 PM 4 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackIP 11/6/2005 2:46 PM 28 bytes Windows API length not consistent with raw hive data. HKLM\SOFTWARE\TrendMicro\PC-cillin\FireWall\LastAttackPort 11/6/2005 2:46 PM 10 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PDFBIOS 10/26/2005 9:46 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet001\Services\PDFbios 11/6/2005 2:07 PM 0 bytes Hidden from Windows API. C:\Program Files\Insvices 10/26/2005 10:46 PM 0 bytes Hidden from Windows API. C:\Program Files\Insvices\ACE.DLL 10/26/2005 10:46 PM 568.00 KB Hidden from Windows API. C:\Program Files\Insvices\AI_01-11-2005.log 11/2/2005 2:00 AM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_02-11-2005.log 11/2/2005 8:23 PM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_03-11-2005.log 11/3/2005 2:00 AM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_04-11-2005.log 11/5/2005 12:42 AM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_05-11-2005.log 11/6/2005 11:15 AM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_06-11-2005.log 11/6/2005 2:05 PM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\AI_31-10-2005.log 11/1/2005 2:00 AM 3 bytes Hidden from Windows API. C:\Program Files\Insvices\Cache 10/26/2005 10:46 PM 0 bytes Hidden from Windows API. C:\Program Files\Insvices\NTSSSMGR.EXE 10/26/2005 10:46 PM 912.00 KB Hidden from Windows API. C:\Program Files\Insvices\NVITHEME.EXE 10/26/2005 10:46 PM 160.00 KB Hidden from Windows API. C:\Program Files\Insvices\WinGenerics.dll 10/26/2005 10:46 PM 576.00 KB Hidden from Windows API. C:\WINDOWS\SYSTEM32\DRIVERS\IP62MTAG.SYS 10/26/2005 10:46 PM 12.00 KB Hidden from Windows API. C:\WINDOWS\SYSTEM32\RDOLSAPI.EXE 10/26/2005 10:46 PM 460.00 KB Hidden from Windows API. I have absolutly no idea what this means. i also don't know what to do if i did know. the program doesn't give you the option of deleting the files, but it does give you a path. i could delete them manually i guess, but if that was the solution it would probably have given the option. what should i do now?
Request for Question Clarification by pafalafa-ga on 11 Nov 2005 20:06 PST emorich-ga, Regarding the rootkits, you wrote: <<I have absolutly no idea what this means...>> That makes two of us! Wish I could help with the rootkits, but I'm just not familiar with that software and (frankly) not quite willing to download it and begin playing around. The Microsoft spyware software is a pretty new addition to the arsenal, and is reportedly a good tool that is kept up-to-date as new threats emerge. May be worth a shot. Wish I could provide some more definitive assistance, but as you've no doubt gathered by now, some of these bugs can be the dickens to get rid of, and there's a large amount of trial and error that has to happen before one (hopefully) succeeds. Best of luck, paf
Clarification of Question by emorich-ga on 18 Nov 2005 11:33 PST i have not yet used the program recommended because for some reason the popups have suddenly stopped. what's strange is that they seem to have stopped of their own volition. i did not scan or delete anything that i can think of, and suddenly my computer is working fine again. i thought it was only temporary, but as of a few days after my last post, i have had no popups. i'm still a little worried about security, but at the same time i am afraid to rock the boat and scan or anything. maybe i'm just being paraniod. what would you recommend?
Request for Question Clarification by pafalafa-ga on 22 Nov 2005 09:35 PST If things are still working as you'd like them to, I'd say just leave things be. Like they say, If it ain't broke...don't fix it. You may want to review your system security, and think about what anti-spyware strategies and software to use to minimize future problems. Good luck. paf

Answer

There is no answer at this time.

Comments

Subject: Re: Get Rid of My Popups!
From: onetone-ga on 03 Nov 2005 19:20 PST

it seems that you've tried most of the things which should work and
rid you of your popups.  I would say that you should have your hard
drive formated completely rather than a restore.  If the most popular
tools are not removing the problem you should begin with a clean
slate.  A complete format of your system is what is required.

Subject: Re: Get Rid of My Popups!
From: aldamar-ga on 03 Nov 2005 20:14 PST

Also, should note for the sake of it. You asked about if its possible
something got into your BIOS - it happens, sure. If you want to be
safe and make sure nothing is in there, tank the BIOS by removing the
CMOS battery for a good while. That should reset everything to factory
default settings.

You can, of course, flash it and do a firmware upgrade too if you feel brave.

Good luck!

- Aldamar

Subject: Re: Get Rid of My Popups!
From: llbbl-ga on 04 Nov 2005 12:39 PST

Hi emorich,

Here is what you need to do in order to save your computer. I will
outline what you need to do in as little as three easy steps.

Since you already have tried a online virus scan and it has found
nothing than what it really means is that the scanner just hasn't
found the right thing that is infecting your computer. It doesn't
sound like a virus but it could be doing the popups to mask other
activity. I wouldn't do anything requring sensitive information such
as filling out college applications until you get the problem fixed.

The problem with spyware and adware everyone has a recommendation that
they think will work for you, about some program that they got to work
for them in the past. The reality there are only a handful of programs
that have active communities behind them staying on the forefront of
what is required to remove these infections on your computer. The next
problem is that many of these programs are complicated to use and you
are never sure if something is safe to remove or not.

To solve both of these problems there exists an automated script that
will download, install and run the most current versions/definitions
of the following programs for you. Ad-Aware, Spybot, Spy Sweeper,
Spware Doctor, CWShredder, SpywareBlaster, Spware Block List, NOD32
AntiThreat, Sysclean Package, SuperDAT VirusScan. This script is
written and developed by M. Loman te Almelo in the Netherlands called
Hitman Pro. I have used it personally and it works very well.

STEP 1) Download and Run Hitman Pro 2

Hitman Pro 2
http://www.hitmanpro.nl/

The next program that you will need to install costs money, but it is
worth it. You will need to buy a antivirus program irregardless to
protect yourself from these things happing again in the future. The
best antivirus program is called NOD32. It has the highest detection
rate and uses least amount of system resources. There is a 30 day
trial, but you should buy it since you will want to use this all the
time.

STEP 2) Purchase, Download, Install and Run NOD32

NOD32
http://www.eset.com/products/products.htm

What if it is not fixed? Now that you have just scanned your computer
with every single adware/spyware/malware detector that is available
and run the best virus scanner on the market, you can be assured that
if it isn't fixed at this point than it is not worth fixing. It is
easier to start from scratch. While it is true that you can do
recovery CD if you bought the comptuer from a company like DELL, it is
better to do just do a clean install, for a number of reasons.

If not fixed at this point:

STEP 3) Reinstall Windows 
http://www.microsoft.com/windowsxp/using/setup/expert/honeycutt_02october07.mspx
http://www.winsupersite.com/showcase/windowsxp_sg_clean.asp
http://www.pcnineoneone.com/howto/clean1.html

There now it should be fixed! Make sure you reinstall NOD32 and keep
that going. Also it is good to be behind a firewall/router. You should
buy a Linksys or Dlink router from your local computer store or
online, even if you have only one computer! The new wireless ones are
$50-$80, but you could find a wired one for $20-$30 if you looked.

Another suggestion would be to switch to Linux if you do not need the
computer for gaming. Linux has a replacement for almost every program
available for windows. I know the only reason I have windows is for
gaming =/.

-llbbl

Subject: Re: Get Rid of My Popups!
From: brownie19-ga on 15 Nov 2005 15:07 PST

A simple answer to this problem is too download Spysweeper. Get a free
trial and it will pick up many thjings which other programs did not
pick up!

It is a brilliant program!

http://www.webroot.com/

Subject: Re: Get Rid of My Popups!
From: ladyjay76-ga on 22 Nov 2005 08:45 PST

I would suggest Ewido Security Suite.
http://download.ewido.net/ewido-setup.exe

Subject: Re: Get Rid of My Popups!
From: dave247-ga on 05 Dec 2005 10:36 PST

Hi Emorich,

You can scan your computer for free using this website..

--> http://waiter.noadware.hop.clickbank.net

It�s called NoAdware and it works a treat!

Hope this helps!

Dave

Subject: Re: Get Rid of My Popups! (INSVICES)
From: adillathebum-ga on 15 Jan 2006 07:04 PST

Hi All, this bulletin board was the only reference I could find to
INSVICES and the pain that ensues from all the bl***dy pop-ups because
of it.  I have found a way to get rid of it but I don't want to put
the answer here so the malware writers (may they ALL go to hell and
suffer real bad) know how it can be stopped.  If you'd like to know,
post a reply to this and I'll be alerted by EMail, don't forget to
include your EMail address if you'd like the fix.  If I get shed loads
of hits, I'll post it up here otherwise, I'll EMail you back with the
fix.  As an aside I'd like to say I hate malware writers with a
passion you could photograph!!  I spent over 10 hours looking for a
fix for this.  I owe a debt of gratitude to the Windows XP Registry
book by SYBEX, thanks guys.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy