Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

can't stop the pesky pop ups.... 1

Status
Not open for further replies.

woody2002

IS-IT--Management
Jan 3, 2003
37
GB
Hi...

I was wondering if I'm looking in the right direction... I've had loads of problems with pop ups (even popping up if the browser window isn't open!) I ran Adaware and Spybot S&D and removed a hell of a lot of nasties...everything was fine, or so I thought...2 hours later the pop ups started again, so I reran Spybot and it found another load of things. The thing is I wasn't even surfing the net...I ran HijackThis! and this what I got back....can someone please tell me if there are any things in here that shouldn't be:

*******************************************

Logfile of HijackThis v1.97.7
Scan saved at 16:28:34, on 10/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\WINDOWS\System32\wtssvtr.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\System32\ataclend.exe
C:\Documents and Settings\john.turner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [ataclend] C:\WINDOWS\System32\ataclend.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtssvtr.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Edit with XML Spy (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ebbon-dacs.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = ebbon-dacs.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ebbon-dacs.co.uk

***********************************************

Thanks a lot to anyone that can decipher this! Is there any other explanation? Could a Trojan be "kicking" everything off again? Quite inexperienced in this area, so please be gentle :)

Cheers
 
First, turn off Windows Messenger Service. Instructions here:

Second, there are two entries in your log that bother me...mostly because I can't readily find anything on them.
They are:
O4 - HKLM\..\Run: [ataclend] C:\WINDOWS\System32\ataclend.exe
and
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtssvtr.exe

Disable System Restore:
You can let Hijack This! remove these two entries and see what effect it has on your system's behavior. By removing the entries, all you're going to be doing is preventing them from running on startup. You can always restore them via Hijack This!' backup funtionality.

Reboot.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
How about these-pretty sure about the first 3, more iffy on fourth.

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
 
diogenes10,
Those first two are nulls...but it doesn't hurt to clean them out for aesthetics' sake. The third entry is RealPlayer related...probably not the source of pop-ups, but unnecessary dead weight IMHO.
The fourth entry is related to Microsoft XML Core Services and probably should be left alone.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Get yourself a firewall like Sygate or Keiro these both work well to stop popups.
 
Thanks Carr...star for you. No more pop ups as yet! Have a sneaky suspicion it was my failure to turn off the system restore.

Thanks again :)

Woody
 
You have ataclend.exe - a "Malware" program. It can be removed by Adaware. Make sure that you have the latest definitions.

Junkie
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top