Strange popup problem

[organman]

When I start my HTML editing program I get also get a popup window (ie. Internet Explorer starts a window).
This only happens when starting my HTML editing program.

When I close the HTML editing program I get another popup window.
This also only happens when closeing my HTML editing program.

I also get a few cookies from gator com after these popup are shown.

I've run AdAware SpyBot but it will not clean out this problem.

Any ideas on how to get rid of this ?




Below are the pages that opens in the popup windows.

http://ads1.revenue.net/load/206279..._RANK=1&O_CREATIVE_ID=206279&O_SITE_ID=12169&

http://landing.domainsponsor.com/ds...kZPUw0O&adultfilter=on&opt=&fullpage_resize=1

http://landing.domainsponsor.com/?a...n&exit=on&popunder=on&domainname=m27power.com

 

[carrr]

Get Hijack This!

http://s89223352.onlinehome.us/mirror/hjt/

Post a log back here.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[organman]

Ok, I ran HiJackThis after I started my HTML edit program and the first popup window was shown.

Here's the log:
Logfile of HijackThis v1.98.2
Scan saved at 13:59:21, on 2004-09-30
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Network Associates\VirusScan\avsynmgr.exe
C:\Program\Novell\ZENworks\nalntsrv.exe
C:\Program\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program\Tenable\NeWT\newtd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Novell\ZENworks\wm.exe
C:\Program\Network Associates\VirusScan\VsStat.exe
C:\Program\Network Associates\VirusScan\Vshwin32.exe
C:\Program\Delade filer\Network Associates\McShield\mcshield.exe
C:\Program\Network Associates\VirusScan\Webscanx.exe
C:\Program\Network Associates\VirusScan\Avconsol.exe
C:\Program\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program\Microsoft ActiveSync\WCESMgr.exe
C:\NOVELL\GroupWise\Notify.exe
C:\NOVELL\GroupWise\GrpWise.exe
C:\Program\BeginFinite\GWAVA\tools\spamexp\ExportSpam.exe
C:\Program\Winamp3\Winamp\winamp.exe
C:\Program\BeginFinite\GWAVA\arcview.exe
Z:\mgmt\ConsoleOne\1.2\bin\ConsoleOne.exe
C:\WINDOWS\System32\mdm.exe
C:\Program\SoftQuad\HoTMetaL PRO 6\hmpro6.exe
C:\Program\Internet Explorer\iexplore.exe
I:\Verktyg\HiJackthis\HijackThis19802.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://it-info

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer erhållet av IT-avdelningen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.2.6:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

http://bookit.karlstad.se;http://start.asp.advance.se;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: GroupWise Avisera.lnk = C:\NOVELL\GroupWise\Notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Skapa mobilfavorit - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Skapa mobilfavorit... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program\Novell\ZENworks\AxNalServer.dll
O14 - IERESET.INF: START_PAGE_URL=http://it-info
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - C:\Novell\Messenger\nmcg32.dll


Hope you can get anything out of this.
I can't find anything in the log that seems strange.

Regards
Lars-Gunnar

 

[carrr]

Curious.
The only entries that bother me are:
R3 - Default URLSearchHook is missing
and
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

...but I don't think they're the source of your problem.

Do you have an entry for Gator in your Add/Remove Programs window? If so, remove it.

Also, is it possible that you installed something that had Gator/GAIN software bundled with it?
Read this:

http://www.gainpublishing.com/index.html

You can click on the link in the third paragraph for instructions on how to detect GAIN products on your pc.

Good luck.


Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[JoeFrish]

that is a lot of files to have starting up, I would remove lot of those, gator is a known spyware, that will cause your pop-ups, more than likely it was isntalled when you installed a freeware program, you might also have to uninstall the freeware program, but any files that are missing, say gator, or search, I would remove. -Joe

 

[amen1973]

Check you hosts file. It is found on your system in
C:\Windows\System32\drivers\etc. Open it with notepad and see if you see something out of place. You can also try installing google toolbar found at

http://toolbar.google.com

Try using CWShredder as well

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Run the full system scan in Ad-Aware SE. This also scans compressed files that are missed by the smart scan.

Download Spyware Blaster

http://www.javacoolsoftware.com/sbdownload.html

 

[organman]

No Gator entry in Add/Remove programs.
No unknown programs in Add/Remove programs.
Nothing in my hosts file.
Ran CWShredder, nothing to fix.
Ran AdAwre fullscan, nothing to fix.

Any other ideas ?

Regards
Lars-Gunnar

 

[JoeFrish]

search through add/remove programs list, check to see if there is any program that has the word search in it, such as 180search, search assistant,... etc. if so remove it/them. getting low on ideas

 

[amen1973]

Try removing this entry with Hijackthis
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

Also download Spyware Guard and update it

http://www.javacoolsoftware.com/sgdownload.html

I suggest you are also running updates on your spyware removal programs as well?

Clean out your temp files and temporary internet files as well.

I hope this helps
Art

 

[organman]

Removed RO entry as suggested, no change.
Yes, I regulary update AdAware.
Installed Spyware Guard, does not detect my problem.
Cleaned out all temp files, no change.

However I found this out:

If I log on to the computer as another user and start the HTML editing program the problem is NOT seen.

The problem seems to only affect one specific user.

Any new ideas after this info ?

/Lars-Gunnar

 

[amen1973]

This narrows it down to HKCU entry (Hkey_Current_User)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer erhållet av IT-avdelningen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.2.6:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

http://bookit.karlstad.se;http://start.asp.advance...>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

Do any of the above look suspicious to you? I am looking at the R0 Entry here and Possibly the proxyoveride entry. I would start with the R0 if you do not know what it is

I hope this helps
Art

 

[organman]

All of the R1 and R0 options are known to me.

I installed a local firewall (Kerio) on this computer in order to see what is going on when starting my HTML editor.

What happens is that the HTML editor uses IExplore to connect to 65.113.115.3 port 80 (ns2.nondescriptns.com or

http://www.hmfx.com)

and this results in the first popup window.

When closing the HTML editor a connection to 65.113.112.21 and 64.235.246.142 and 64.235.246.141 and 64.235.246.158 and
64.235.246.120 (landing.domainsponsor.com) opens and this results in the second popup window.

As a temporary solution I've blocked these addresses in the corporate firewall.
This gives me the result that I no longer get the popup windows and the cookies from these sites.

Any more suggestions to this problem ?

Regards
Lars-Gunnar