Cannot remove a pop up advertising

[acjeff]

I got a spyware from Internet for some reasons. I tried using both Micorsoft Anti-Spyware Beta version and Ad-Ware to scan and remove it. I am sure I did update them before scanning my system. However, once in a while, I still have a pop-up window showing advertisements no matter I am opening Internet Explorer or doing something else. The window heading is "Popuppers Advertisement Window3". My system also has Google pop-up blocker and Microsoft pop-up blocker which came with XP Service Pack 2.

How can I get rid of the spyware?

 

[aquias]

Alright,

I would suggest to run both MS and Spybot again, then run a program called "Hijack This!". It will list all registry entries, and running processes that can be considered suspect. It will allow you to, manually, remove the entries that should not exist.

If you are uncertain of what is being listed you can post your log file here and we can help.

 

[Kesser]

ensure Windows messenging (NOT MSN MESSENGER) service is stopped... Right click My Computer > scroll to Manage > click on Services and Applications > Services > Locate Messenger > Doulbe click on this and use the spin box to set it to disable - this service is unecessary and sometimes allows pop ups.

Kes

 

[acjeff]

First, I did check on the Windows Messenging and it was already disabled.

Actually, I did a lot of works. I used Microsoft Anti-Spy twice, Ad-Aware twice, Spybot about 5 times, RegCleaner, Disk Cleanup and defragmentation. However, the advertising still pops up. Is HiJack This the same as RegCleaner?

 

[blutekhnd]

You didn't mention doing this, so I'll make this suggestion. I have noticed at work that some adware gets listed in the add/remove programs. These don't get picked up by adaware and spybot. However, you can delete them through the control panel, and run adaware and spybot and they will then clean out the remnants.

 

[acjeff]

You were definitely right. I just found DMVlite in my Add/Remove list. I am not sure it this is causing the pop up ad. When I clicked remove button, it opened the web browser and told me to download the DMVlite Uninstaller. I didn't do that because that might be a trap. So, what is the best, easier and safest way to remove it?

 

[acjeff]

Hi folks,

I did mention that I got a spyware that DMVlite is shown in the Control Panel Add/Remove list. I believe this stuff is giving me advertising popup windows once in a while. After trying all the removers I mentioned before, here is the HiJackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 10:34:05 AM, on 2/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\a64sddd.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://mail.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://mail.yahoo.com/

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [popuppers64] C:\WINDOWS\a64sddd.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096918551507

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{459AC0BD-60FB-4BD3-BED5-F050061B5C00}: NameServer = 206.141.193.55,205.141.193.56

Ok now, can anybody tell me what I should do next? Please help ASAP.

Thanks,
Jeff

 

[dragonflygirl]

This may be the cause. I noticed that there is an entry in your trusted zone for poppuppers.com:

O15 - Trusted Zone: *.popuppers.com

This would allow things from that site through to your computer. The trusted zone is under your internet explorer options. Try to Remove that entry and see if that fixes the problem.

 

[Kesser]

Delete these:

O4 - HKLM\..\Run: [popuppers64] C:\WINDOWS\a64sddd.exe

O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

And I would be very suspicious of these also, unless you have any idea what they relate to? If not, I would get rid myself...


O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

Hope this helps,

Kes