Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need a No-Pop list for the Internet! 3

Status
Not open for further replies.
Seecke

Seecke

IS-IT--Management
Aug 23, 2003
68
US
OK,

I have been reading to posts here regarding AdAware, Spy-Bot, Hijack This, and every other utility to stop the popups from occurring. I have followed instruction after instruction and still no luck. I wished just one of these pop-up killers would actually work.

Here is my hijack log:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\uptodate.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\tools\HijackThis.exe
C:\WINNT\system32\Pzgg.exe
C:\WINNT\system32\CmguK4.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Empire Title Colorado Springs
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinVNC] &quot;C:\Program Files\RealVNC\WinVNC\WinVNC.exe&quot; -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] &quot;C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE&quot; /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] &quot;C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe&quot;
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.empiretitlecospgs.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

Now, The ones that I am concerned about are the Pzgg.exe and Cmguk4.exe in my system32 directory that are a part of the Running Processes section.

I have found a way to stop the popups for the day. I hit ctrl-alt-del on my Win2k machine, select task mamager and then select the processes tab. I scroll down a bit until I find some unusual named executable files, right click them then select End Process Tree. This seems to work until the user logs out and back in again. then it starts all over.

AdAware and the others cleaned up alot of stuff but this one hangs around and after updating each tool I still have this one piece of crap messing with the system. Out of 9 PCs on the network, this is the ONLY one that is infected.

Thanks in advance for your help!

Steven E. Elliott NCW

P.S. Just before this plea for help I removed the Google stuff.
 
Sort by date Sort by votes
Actually, those are all tools for checking and deleting ad programs, not pop-up stoppers. The one I use is PopUpStopper from and it seems to work fairly well with stopping the windows from opening. I did find that the older version (11/22/2002) seemed to stop more windows. I uninstalled the latest version (2003) and reinstalled the newer version for that reason.

This tool does not stop the Ad Programs from placing cookies on your computer, so you still need to run AdAware at least weekly.

Terry
**************************
* General Disclaimor - Please read *
**************************
Please make sure your post is in the CORRECT forum, has a descriptive title, gives as much detail to the problem as possible, and has examples of expected results. This will enable me and others to help you faster...
 
Upvote 0 Downvote
Are those two programs starting the processes in question? If so, what happens if you have HiJack remove those two entries?



James P. Cottingham

There's no place like 127.0.0.1.
There's no place like 127.0.0.1.
 
Upvote 0 Downvote
THoey
Maybe I mis-spoke when I said pop-up... The user can be working away using internal proggys and stuff then all of the sudden, out of no where, an ad for Viagra, some Security Product, Increase the size of your... pops up. Well anyway, the interesting thing is, she never had the browser loaded. I can go into task manager and &quot;End Process&quot; on the Pzgg.exe file and a few seconds later, an new process appears with an entirely different name (sjarwzcx.exe) and then if I end process on that, another appears with a different name. (the new names seem to cycle thru though. I think I remember about 4 end processes before I saw the original name come back. Now, if I &quot;End Process Tree&quot; on any one of those... the problem goes away until she logs out then back in again. Thanks for your input!

2ffat
I have deleted these several times but they still appear after reboot. I really hate to take the machine back to Zero but I think thats the only way to be sure the crap is gone.

Everyone:
I just ran all of my tools and here are the results of the Hijack scan:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINNT\system32\Pzgg.exe
C:\WINNT\system32\Pzgg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\AIM\AIM.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Empire Title Colorado Springs
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinVNC] &quot;C:\Program Files\RealVNC\WinVNC\WinVNC.exe&quot; -servicehelper
O4 - HKLM\..\Run: [ShStatEXE] &quot;C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE&quot; /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] &quot;C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe&quot;
O4 - HKLM\..\Run: [3XCRPYG2ZB@8A3] C:\WINNT\system32\Pwcm74j.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.empiretitlecospgs.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
Please take note of the line:
O4 - HKLM\..\Run: [3XCRPYG2ZB@8A3] C:\WINNT\system32\Pwcm74j.exe

and

C:\WINNT\system32\Pzgg.exe
C:\WINNT\system32\Pzgg.exe (nope this was not due to my fingers stuttering, there are actually 2 instances running)

Thanks Again!!!
 
Upvote 0 Downvote
Upvote 0 Downvote
Carrr,

The msngr service has been disabled from the server side... NO ONE is able to run the Windows Messenger Service and on the PC in question, (as well as all others here) it has been disabled as well. Did you see something in the hijack log that says that it is running? or was that just an added tip?

Thanks in either case.
 
Upvote 0 Downvote
This is what I had to do for Apropos (another ad popup program):
1) Turn off restore (XP).
2) Ran MSCONFIG. In the INI files, I commented out anything I did think should be there. (I didn't delete anything until I was certain it didn't belong.) In the services and startup, I unchecked anything I did think should run.
3) After everything checked out, I ran REGEDT32, searched for the program(s) I stopped and deleted the file(s) from the registry. Note that I used REGEDT32 instead of REGEDIT since sometimes the file is in multi-value keys.
4) Finally, I searched the harddrive for any variation of the program(s) name and deleted the files (and directories).

James P. Cottingham

There's no place like 127.0.0.1.
There's no place like 127.0.0.1.
 
Upvote 0 Downvote
I was reaching, actually, with that tip. The nature of the ads you described made me think that maybe that was how they were coming through.

I'd follow 2ffat's lead, but I'm guessing you're running 2k, which has no MSCONFIG.
 
Upvote 0 Downvote
Have you, using Hijack This!, removed this entry?:
O4 - HKLM\..\Run: [3XCRPYG2ZB@8A3] C:\WINNT\system32\Pwcm74j.exe

If not, do so.

I'd also navigate to these files in Windows Explorer:
C:\WINNT\system32\Pzgg.exe
C:\WINNT\system32\Pzgg.exe
and rename them to pzgg.old

Now reboot and rescan. Repost log.

 
Upvote 0 Downvote
2fatt,

THANKS for making me go back to the basics of tec'ing! I went and got a copy of MSCONFIG.EXE and ran it. in the startup tab I found a file (Pzgg.exe)and unchecked the box next to it and rebooted. I ran it again and found another file (Sj1Bxdg.exe) and did the same with it and rebooted. Now I am running the system to see if they reappear. Will let you all know my results are when I get some.

THANKS TO ALL who replied!
 
Upvote 0 Downvote
Carrr,

Yup tried that and it came back... sumpin else is creating it. Tried to find it in the system 32 directory...no such file.

Things that make you go hmmmmmmmmmmmmmmm!!
 
Upvote 0 Downvote
Hmmm....alright.

Are you still cruising along ok after 2ffat's suggestion? If so, case closed.
If they do come back, you might try several virus scans, starting with the Trend Micro link I posted above.
Unchecking things in msconfig is great, but you're only removing them from start up, they're still on your system.
 
Upvote 0 Downvote
So far so good! Thanks for your help Carr! 2fatt's help is currently holding its own.

All of you all are AWESOME!
 
Upvote 0 Downvote
Glad we could help and thanks for all the fish stars. [thumbsup2]

James P. Cottingham

There's no place like 127.0.0.1.
There's no place like 127.0.0.1.
 
Upvote 0 Downvote
Update...

So far so good! User had no additonal ads appear for the rest of yesterday and as for today... nothing pops up! yahooooooo!!!

Thanks to 2fatt for the proverbial &quot;Kick in the head&quot; to make me go back to the basics of tec'ing.



 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
DKIM for Exchange 2019
Replies
1
Views
284
DrB0b
DrB0b
iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
287
Oorde
Oorde
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
261
2ffat
2ffat
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
237
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
769
Yoko Littner
Yoko Littner

Part and Inventory Search

Sponsor

Back
Top