Pop ups when nothing is running

[NADIAZIPPER]

I have a XP Pro machine with all available updates installed. For some reason I get pop ups while nothing is running and I can get them to stop. I have ran AD-Aware and SpySweeper and they have found nothing. I have gone through msconfig and stopped anything that appears to be out of the norm, I look at running processes and see nothing that looks like spyware. The machine can be on, with nothing running then suddenly a IE page shows up in my taskbar and has the word “loading” as the description, then after about 10 seconds the page pops up, usually an Ebay ad. Anyone have any ideas as to what is pulling these ads? Any other programs that could maybe identify what is causing this. Thanks

 

[bcastner]

Have you stopped your Messenger Service?

This service is not related with MS Messenger, or MSN Messenger or any other IM client.

Control Panel, Administrative Tools, Services, scroll down until you see "Messenger". Double-click, Stop the Service, and set its startup type to "Disbled."

 

[flyingwolf23]

Try SpyBot Search and Destroy look for it on google and download it then run the update and a full scan.
If that doesn't work let us know.

Semper Fi

http://www.jnatek.kicks-ass.net

 

[NADIAZIPPER]

I have already stopped the Messenger service. Although doesn't that stop the grey pop ups that look like netsend messages? Mine are plain and simple IE pop ups. I will try spybot, although do you think it is better than AD aware and spysweeper?

 

[gpalmer711]

Something must be starting with your machine, download Hijack This from

http://www.tomcoyote.org/hjt

and run the scan, then take a look at

http://www.spywareinfo.com/~merijn/htlogtutorial.html

for details of what the scan means.

If you are still having a problem create a start-up log from the config section and then post it here for assistance.

Greg Palmer

----------------------------------------
Any feed back is appreciated.

 

[NADIAZIPPER]

thanks, I will check it out when I get home

 

[NADIAZIPPER]

Still getting them, plus tonight I got a" Do you want to install and run Orbit Broswer Plugin.......Always trust content from Tempo Internet


Here is what I have from Hijack:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\syslaunch.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian Glaser\Desktop\HijackThis.exe

 

[Mulga]

Tempo Internet appear to be the originators of the Xupiter toolbar, which is apparently a very evil little beast, may be that or something related. Check out

http://www.wired.com/news/infostructure/0,1377,57467,00.html

for more info

Help us to help you, please post back and tell us if this helped.
All things are possible except skiing through a revolving door.

 

[gpalmer711]

Messenger plus comes with inbuilt adds and homepage changer!! Take a look at the official for from the messenger plus website

http://www.msgplus.net/index.php?view=faq&expand=2#spam

Greg Palmer

----------------------------------------
Any feed back is appreciated.

 

[NADIAZIPPER]

I have had Plus for a long time and never had issues, I also choose not to install anything from the sponsor(I think its GAIN). I have never had issues with Xuipter, my home page has always been Google, its never hijacked and I never have issues with redirection. I may do a clean install just to clear this issue up if I can't stop this from happening. Any other ideas or suggestions?

 

[carrr]

Is that all that HT! logged? Looks like you only posted the first leg of it...

 

[NADIAZIPPER]

I was starting slow.....I will post the rest tonight

 

[NADIAZIPPER]

Here is the whole thing
Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\syslaunch.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
C:\Program Files\Internet\iMesh\iMeshClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian Glaser\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

C-Media Mixer = Mixer.exe /startup
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
ATIPTA = atiptaxx.exe
zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
ASUS Probe = C:\Program Files\ASUS\Probe\AsusProb.exe
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
InCD = C:\Program Files\Ahead\InCD\InCD.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iehelper = C:\Program Files\syslaunch.exe
CoolSwitch = C:\WINDOWS\System32\taskswitch.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\reloaded.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\DAP\DAPBHO.dll - {0000CC75-ACF3-4cac-A0A9-DD3868E06852}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[iNotes Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\inotes.dll
CODEBASE =

https://inotes01.uline.com/iNotes.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE =

http://office.microsoft.com/officeupdate/content/opuc.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE =

http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe

[InstallHelper Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ThereInstallHelper.dll
CODEBASE = file://C:\DOCUME~1\BRIANG~1\LOCALS~1\Temp\ThereInstallHelper.dll

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE =

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37820.9236342593

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE =

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

 

[zonemen]

To remove the spyware that comes with Messenger Plus!. Go into your Control Panel->Add/Remove Programs and uninstall Messenger Plus! from there. When you unistall it, you will have to put in a confirmation code so the spyware knows that you are a human and it will remove itself. Then get the latest version of Msgplus from

http://www.msgplus.net

and install it. BUT make sure you untick the option to install the sponser. It looks like a normal 'Do you agree to install this software' thing but untick it! Then finish the installation and the spyware should be gone.

 

[gpalmer711]

The iehelper = C:\Program Files\syslaunch.exe entry is the W32.Adclicker trojan, that as the name sugests generates ads. Go to

http://housecall.antivirus.com

and run the free virus checker.

Greg Palmer

----------------------------------------
Any feed back is appreciated.