Pop up question

[coastalbuck]

I have a serious pop up add problem on two computers I use frequently. I can't find what is generating to adds, I've scanned, Ad-awared, searched and still can't find out. One is a laptop running XP, the other is a desktop running 2000. I don't think it has anything to do with the sites I visit because the other four machines I use alot don't have the problem. They are running similar OS's. Two desktops with XP, a laptop with XP, and a laptop with 98. The kicker is that the adds are only generated in Internet Explorer, not Firefox. All machines have Firefox, it's really all I use. The two offending machines generate pop ups in IE WHILE I'm using Firefox, it's really annoying. I'd appreciate any help. Thanks ahead of time.

 

[scooter1369]

Wow. Gotta think on this one a bit. Popups occur in IE, even when IE isn't the active browser? hmmm.....

 

[sandgk]

Wow. Gotta think on this one a bit. Popups occur in IE, even when IE isn't the active browser? hmmm.....

That does sound very familiar - a structured search with that specific symptom might prove useful. (In fact, I had such an issue before, and sought, and implemented, a solution - so I am certain the truth is out there.)

Edit - here is one article that reflects the precise symptom you report. It suggests using some more heavyweight detection methods, which as I recall was what I resorted to implementing, with success.
Here is another thread with the same type of advice - sounds like some kind of malware?

 

[coastalbuck]

Wow. Gotta think on this one a bit. Popups occur in IE, even when IE isn't the active browser? hmmm.....

You got it Buddy, irritating as hell. Just about makes both machines junk for internet usage. An example, I just walked away from the laptop with XP for 5 minutes with it still connected to my network and no browser running. When I came back to it, there were about 15 popups running in IE!!!!!!!!!!!!!

 

[sandgk]

Bump coastalbuck - in case you are not running iSpy - there are a pair of threads which I found useful edited into my response when I had the exact same issue.

 

[CleveBucks]

You've got some type of spyware or malware on the PC. The more advanced ones will get past almost any detection mechanism. Try Windows Defender if you haven't already. In my experience it's the best one out there.

 

[Hodge]

Download and run HijackThis (http://www.spywareinfo.com/~merijn/programs.php). When you run it just use the "Scan and Save Log" option. DON'T use it to fix anything unless you know what you are doing. Either attach the file(s) here or just paste them into your post. I'll take a look at them and let you know what I find.

 

[coastalbuck]

I'll try that Hodge, when I get the chance. I did run Windows Defender like was suggested earlier, it did find and remove two things, didn't solve the problem though. Thanks for the help. I'll run it when I can.

 

[Hodge]

If you don't get a chance to run Hijack This, perhaps this can help. Ewido Anti-Spyware is one of the best out there. If I ever need help, this is what I use and recommend. (Make sure to update the definitions first)

http://www.ewido.net/en/download/

 

[coastalbuck]

I did the ewido check, it found 141 problems that I deleted. I also ran the Hijack this and the results are as follows.


Scan saved at 8:21:44 PM, on 12/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\pashenp.exe
C:\WINDOWS\pashenpA.exe
C:\WINDOWS\next06.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\?racle\n?pdb.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {43E40E33-B9D6-BB2F-82-C36935FD86C3} - C:\WINDOWS\System32\jktofjl.dll
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pashenpA] C:\WINDOWS\pashenpA.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e34.exe
O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS\next06.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e34.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Orcl] "C:\WINDOWS\System32\CROSOF~1.NET\taskmgr.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mhcfunj] C:\WINDOWS\?racle\n?pdb.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161132531998
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161132486833
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pashenp.exe

 

[sandgk]

There are forums (easily found with Hijack This - Forum as search terms) to which I would strongly urge you to submit the file list your found with Hijack. This is one such forum.

Most likely the Forum helpers (who are very good I might add) will look for oddly named files and processes.
For instance:
C:\WINDOWS\?racle\n?pdb.exe
If the question mark is real, and not merely an oddity from the lack of HTML expression on this board, this would raise a red flag.
Another tool to consider is IceSword - if there are truly invisible things being run, it will find them.

 

[Hodge]

First thing you need to do is go here http://www.microsoft.com/technet/sysinternals/Utilities/PendMoves.mspx and download pendmoves and movefile (one file). Save it on c:\ and unzip it there. We'll get back to this.


This would all best be done in safe mode. Hopefully that will keep things from running so they actually get deleted.
If you're not sure about safe mode, go here: http://www.microsoft.com/resources/...ll/proddocs/en-us/boot_failsafe.mspx?mfr=true

You'll want to select safe mode with command prompt. (You'll probably want to print this post as well.)


I cannot find info on either of these executables. I've never heard of them. They are most likely problems, I would look just to make sure that they aren't anything that you use.
C:\WINDOWS\pashenp.exe
C:\WINDOWS\pashenpA.exe


Run Hijack this again, this time use the scan and fix option.
Put a check by these values to fix:
R3 - URLSearchHook: (no name) - {43E40E33-B9D6-BB2F-82-C36935FD86C3} - C:\WINDOWS\System32\jktofjl.dll
O4 - HKLM\..\Run: [pashenpA] C:\WINDOWS\pashenpA.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e34.exe
O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS\next06.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e34.exe
O4 - HKCU\..\Run: [Mhcfunj] C:\WINDOWS\?racle\n?pdb.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pashenp.exe



Ok, HijackThis should have fixed those problems, now we need to do some file cleaning just in case. MoveFile will delete these files on the next reboot. Go to the start menu, select run and type in "cmd" (no quotes) then select ok. Type these in as shown and hit enter one at a time (the ending double quotes are important, that tells the program to delete the file):

c:\movefile c:\windows\pashenpa.exe "" (once again, I?m pretty sure these first two are problems, if you don?t recognize them as helpful programs, then they are)
c:\movefile c:\windows\pashenp.exe ""
c:\movefile c:\nwnmff_e34.exe ""
c:\movefile c:\kybrdff_e34.exe ""
c:\movefile c:\windows\?racle\n?pdb.exe "" (you are going to have to find this directory and file and type it in as it is on your computer. ? is not a valid windows file or folder character)
c:\movefile "c:\program files\psdream\psdream.exe" ""
c:\movefile C:\WINDOWS\next06.exe ""



Ok, one last thing before the reboot. Go to c:\program files and delete the ?psdream? folder. Now you can reboot. Run Ewido first thing when you reboot to make sure everything is ok.

Good Luck!

 

[coastalbuck]

Thanks guys. Again, it sounds like the fix may take awhile, I'll try it when I can. I appreciate all the help. I'll get back to you. thanks again.

 

[SparkyOSU]

I have a serious pop up add problem on two computers I use frequently. I can't find what is generating to adds, I've scanned, Ad-awared, searched and still can't find out. One is a laptop running XP, the other is a desktop running 2000. I don't think it has anything to do with the sites I visit because the other four machines I use alot don't have the problem. They are running similar OS's. Two desktops with XP, a laptop with XP, and a laptop with 98. The kicker is that the adds are only generated in Internet Explorer, not Firefox. All machines have Firefox, it's really all I use. The two offending machines generate pop ups in IE WHILE I'm using Firefox, it's really annoying. I'd appreciate any help. Thanks ahead of time.

The pops are ads that have been written into the Registry. You are going to have to use regedit to delete them. Hopefully an updated Nortans will find them, then you need to click on the adware warning to take you to the Norton website, they will help you step by step if you are afraid of Regedit. I take it you use mySpace or the likes? Ad-pops usually are coming from image sites and profile sites lately.

I have had this problem before my wife uses myspace so I feel ya, I know exactly what your going through.