Irritating adware problem

I have a problem I've not encountered before and can't find a solution. I'm hoping someone out there can help...

There is some irritating program on my system that opens pop-up browser ads at random intervals. These ads are not being initiated from websites. For example, I have my homepage set to aboutblank. When I open Internet Explorer, I'll get a popup. Then, it seems that every so many clicks the same happens. I also know it's not the websites since it happens when I browse my own websites...

I run the microsoft recommended adaware and also spybot search and destroy. Neither seem to be able to fix this problem...

Any ideas?

i thing that page name "about.htm" anyway, you search these links in registery and delete them, may be this will solve your problem.
This happens due to worms.

thanx

When AdAware and Spybot fail, I use HijackThis.

http://www.merijn.org/downloads.html

Be careful with it. You might also find it helpful to run these tools in safe mode first.

Yes, devorem is right. Use HijackThis. It will show you all the suspicious registry entries. The only trick is that YOU have to know which ones need to be removed. It will show all BHOs (browser helper objects) such as Yahoo or Google toolbars, download managers, iTunes, etc.

If you run HijackThis and are not sure what to delete, post a copy of the results here and maybe we can help you. There are also several forums that specialize in helping with it.

I just got done removing the same kind of pop-ups from my daughter's computer a couple of days ago. Somewhere along the line something you think is harmless gets downloaded and it installs this browser-hijacking crap. The folks who build this kind of software should be tortured publicly in the worst way imaginable. They should be sentenced to life with only a 386 computer, 14K modem, and AOL. And no local access number. But that's just my opinion.

Gary

Thanks guys - I'm going to give this a shot.

If you just post your Hijackthis log i can probably tell you whats ad/spyware crap

I ran Hijackthis and deleted the ones I could definately identify as rouge - it seems to have cured my problem... for now! Thanks guys! If it comes back, I'll definately post the results...

Just one other tip, Yahoo Toolbar now has "yahoo anti-spy" which is pestpatrol. It find a LOT of items and in my experience rmoves better than adaware and spybot, however using all 3 is my recommendation.


oh but the yahoo one seems to dig deeper in registry to remove root problems.

Stephen said:

Just one other tip, Yahoo Toolbar now has "yahoo anti-spy" which is pestpatrol. It find a LOT of items and in my experience rmoves better than adaware and spybot, however using all 3 is my recommendation.


oh but the yahoo one seems to dig deeper in registry to remove root problems.

Click to expand...

I'm a bit sceptical about these add-on toolbars... I wouldn't be suprised if they had their own little spyware programs included... whatcha think?

Another thing to consider is if you are using a windows xp or above os you may want to kill the system restore function while cleaning the system off. This will call all removed files to be restored at next reboot if it thinks they are system files.

as far as toolbars, I only trust the google or yahoo. Or the firefox ones since they are open source and I can see what they do, others, very VERY skeptical of.

I have the same adware problem that LegalAlien had experienced, and (as recommended) ran Hijackthis in an effort to eradicate this evil little program. However, I'm not quite as savvy as LegalAlien in identifying what appears to me as a needle in a haystack. Could someone please review my output and help me to identify what (all) needs to go?
Thanks!

enuf_alrdy said:

I have the same adware problem that LegalAlien had experienced, and (as recommended) ran Hijackthis in an effort to eradicate this evil little program. However, I'm not quite as savvy as LegalAlien in identifying what appears to me as a needle in a haystack. Could someone please review my output and help me to identify what (all) needs to go?
Thanks!

Click to expand...

not that i don't trust you, but please paste the contents of that output file?

I totally understand... here it is:
Logfile of HijackThis v1.99.0
Scan saved at 9:06:42 PM, on 1/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\System32\PD6000SM.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Documents and Settings\Administrator\Application Data\sits.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\My Documents\My Downloads\hijackthis\HijackThis.exe
C:\WINNT\system32\?ttrib.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: MyQuickSearch Search Assistant BHO - {04011C11-2F3B-44ed-977C-270CA669C6B2} - C:\Program Files\MyQuickSearch\SrchAstt\1.bin\MQSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9E741062-A2A5-A129-D13F-8A4D82D372C6} - C:\WINNT\system32\nlnbb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\Program Files\AIM Toolbar\aimhelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: My &Quick Search - {0E677229-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINNT\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Sper] C:\Documents and Settings\Administrator\Application Data\sits.exe
O4 - HKCU\..\Run: [Exzbdt] C:\WINNT\system32\?ttrib.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://play.hoylegames.com/cab/WONWebLauncherControl.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe

OMG ph34r the l33t textfile virus?

I can fix this. I charge $45/hr.

devorem said:

I can fix this. I charge $45/hr.

Click to expand...

That's not very nice hmm - apparently I'm not as savy as you though 'enuf'.

I would probably hazard a guess or two and fix it, but I'm not going to speculate and mess up your machine further. Maybe you should take devorem up on his offer?

Well, maybe I'll just back everything up that I care about, and start tinkering. Worst case is that I jack the whole thing up and am forced to re-format and start over. Sometimes a reset is good. In fact, you could just look at my HighjackThis output and see all of the crap that has accumulated on my system. And if I'm able to fix it... then I could offer to fix some other person's system for $45/hr. :]
Thanks for the input, and devorem, I haven't totally ruled out your offer yet...

sits.exe is a major problem, nothing needs to run out of that folder.

Go to my computer, first make sure your my cmoputer is set to show hidden files, (tools, options if I am not mistaken) (oh and while you are there set it to show file extensions for known file types)

Then click your address bar and paste this in:
C:\Documents and Settings\Administrator\Application Data\

find the sits.exe, rename it sits.exebad

use hijack this to remove it from your auto startup and reboot. That will fix a lot of your problem right there, nothing legit runs in that folder, NOTHING.

(I have removed over 170k spyware infections in the last 10 weeks or so, some PCs with 2000+ infections, I became a pro at manual removal since even the best anti-spyware apps didn't get them)

I am trying to work with webroot software now becasue I found a site hosting many spyware apps that auto downloaders would download and install. I am hoping webroot will work to stop all of these malicous spyware apps.

They are a bigger concern to me than the worst of viruses. I have seen numerous spyware apps that are keyloggers and log your KB input to send to ad agencies. These companies are already using unethical means to advertise, what will prevent them from using info you type against you.

Edit: And for the curious, that was prior to the new year, and at an educational institution. Just to clarify

Wow! Thanks for the heads-up Stephen. I actually always have my systems configured so that I can see both hidden files and extensions but I still couldn't see sits.exe. However, your suggestion caused me to look at other possible viewing options, and I spotted the option to disable hiding protected operating system files. With this option, I not only was able to see sits.exe but also imsu.exe, which is something Sygate has been blocking for me. I think imsu.exe is related to that evil clickspring spyware. I kept going to this directory path with hidden files enabled but could never spot it. Thanks again.