Pops Ups ect on laptop - Page 2

You may want to try the steps in the following article:

http://www.bytedr.com/node/5

swatkat,

are you able to find anything in the log files? what are my next steps....I've trying to avoid reformating and reinstalling everything but it seems like that may be the answer at this point? please advise...thanks....JD

angelopc,

thanks for the reference....I believe I've cover these steps.....I've been working with swatkat on specifics at this point....thought we were there a couple of times

Hi jd51edwin,
Do the popups look like the one shown in this page?
http://swatrant.blogspot.com/2005/08/messenger-spam.html

I just haven't read anything about you cleaning up your TEMP files or turning off System Restore or scanning in Safe Mode....

swatkat.....no - they are pop ups to web sites....I just plugged it in to the net and started to go to some sites.....took a coulple of minutes - but the one that is poping up now is http://ad.bannerconnect.net and www.whatsnewreport.com - any ideas?

Hi jd51edwin,
WinPFind log looks clean. Can you run a full system scan of Webroot SpySweeper in Safe Mode? And, please download CCleaner and install it. While you are in Safe Mode, run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Hi angelopc,
Thanks for the input! Hope we will get rid of the "baddies"! By the way, turning off System Restore is not a good idea.

angeloPC - yes, we did not turn off system restore etc.....but I think we did do some scanning in safemode and deleted temp files....I could be mixing it up with my PC that go infected at the same time.....the PC is fixed now....the laptop is not

swatkat....I am running it now and will post when it's completed...thanks...JD

Hi,
Ok. Also, download the Hosts file from here. Put it in the C:\WINNT\SYSTEM32\DRIVERS\ETC folder.

swatkat.....I did the steps....here's the session log from Spy Sweeper.....I connected to the Internet.......and so far so good :) ...keepin' my fingers crossed !

1) Session Log - Spy Sweeper

********
3:42 PM: | Start of Session, Wednesday, June 14, 2006 |
3:42 PM: Spy Sweeper started
3:42 PM: Sweep initiated using definitions version 698
3:43 PM: Starting Memory Sweep
3:45 PM: Memory Sweep Complete, Elapsed Time: 00:02:21
3:45 PM: Starting Registry Sweep
3:45 PM: Found Adware: command
3:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
3:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
3:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
3:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
3:45 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
3:45 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
3:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
3:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
3:45 PM: Found Adware: linkmaker
3:45 PM: HKCR\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180460)
3:45 PM: HKCR\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180464)
3:45 PM: HKCR\fseytdc.yvakt\ (3 subtraces) (ID = 1180468)
3:45 PM: HKCR\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180472)
3:45 PM: HKLM\software\classes\fseytdc.ariaqudok\ (3 subtraces) (ID = 1180510)
3:45 PM: HKLM\software\classes\fseytdc.ariaqudok.1\ (3 subtraces) (ID = 1180514)
3:45 PM: HKLM\software\classes\fseytdc.yvakt\ (3 subtraces) (ID = 1180518)
3:45 PM: HKLM\software\classes\fseytdc.yvakt.1\ (3 subtraces) (ID = 1180522)
3:45 PM: Found Adware: forethought
3:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\treewood\ (2 subtraces) (ID = 1352578)
3:45 PM: HKCR\clsid\{5c3e6596-c64f-48e0-ac1e-b9c6eb3a5915}\ (8 subtraces) (ID = 1389899)
3:45 PM: HKCR\clsid\{624a3cdb-8c0a-4902-8480-191582c8498e}\ (8 subtraces) (ID = 1389908)
3:45 PM: HKCR\typelib\{90aff1ef-c901-4991-8d61-5beea455e090}\ (9 subtraces) (ID = 1389930)
3:45 PM: HKLM\software\classes\clsid\{5c3e6596-c64f-48e0-ac1e-b9c6eb3a5915}\ (8 subtraces) (ID = 1389974)
3:45 PM: HKLM\software\classes\clsid\{624a3cdb-8c0a-4902-8480-191582c8498e}\ (8 subtraces) (ID = 1389983)
3:45 PM: Found Adware: sysprotect
3:45 PM: HKLM\software\classes\typelib\{90aff1ef-c901-4991-8d61-5beea455e090}\ (9 subtraces) (ID = 1390005)
3:45 PM: Found Adware: dollarrevenue
3:45 PM: HKLM\software\ksr39sj5\ (4 subtraces) (ID = 1390021)
3:45 PM: Registry Sweep Complete, Elapsed Time:00:00:19
3:45 PM: Starting Cookie Sweep
3:45 PM: Found Spy Cookie: yieldmanager cookie
3:45 PM: [email]jdumas@ad.yieldmanager[2].txt[/email] (ID = 3751)
3:45 PM: Found Spy Cookie: adecn cookie
3:45 PM: [email]jdumas@ad2.adecn[1].txt[/email] (ID = 2064)
3:45 PM: [email]jdumas@adecn[1].txt[/email] (ID = 2063)
3:45 PM: Found Spy Cookie: adknowledge cookie
3:45 PM: [email]jdumas@adknowledge[2].txt[/email] (ID = 2072)
3:45 PM: Found Spy Cookie: atwola cookie
3:45 PM: [email]jdumas@atwola[1].txt[/email] (ID = 2255)
3:45 PM: Found Spy Cookie: searchingbooth cookie
3:45 PM: [email]jdumas@banners.searchingbooth[1].txt[/email] (ID = 3322)
3:45 PM: Found Spy Cookie: exitexchange cookie
3:45 PM: [email]jdumas@exitexchange[2].txt[/email] (ID = 2633)
3:45 PM: Found Spy Cookie: clickandtrack cookie
3:45 PM: [email]jdumas@hits.clickandtrack[2].txt[/email] (ID = 2397)
3:45 PM: Found Spy Cookie: screensavers.com cookie
3:45 PM: [email]jdumas@i.screensavers[1].txt[/email] (ID = 3298)
3:45 PM: Found Spy Cookie: top-banners cookie
3:45 PM: [email]jdumas@media.top-banners[1].txt[/email] (ID = 3548)
3:45 PM: Found Spy Cookie: mediaplex cookie
3:45 PM: [email]jdumas@mediaplex[1].txt[/email] (ID = 6442)
3:45 PM: Found Spy Cookie: nextag cookie
3:45 PM: [email]jdumas@nextag[2].txt[/email] (ID = 5014)
3:45 PM: Found Spy Cookie: realmedia cookie
3:45 PM: [email]jdumas@realmedia[1].txt[/email] (ID = 3235)
3:45 PM: [email]jdumas@searchingbooth[1].txt[/email] (ID = 3321)
3:45 PM: Found Spy Cookie: statcounter cookie
3:45 PM: [email]jdumas@statcounter[1].txt[/email] (ID = 3447)
3:45 PM: Found Spy Cookie: tacoda cookie
3:45 PM: [email]jdumas@tacoda[1].txt[/email] (ID = 6444)
3:45 PM: [email]jdumas@yieldmanager[2].txt[/email] (ID = 3749)
3:45 PM: Cookie Sweep Complete, Elapsed Time: 00:00:09
3:46 PM: Starting File Sweep
4:13 PM: Found Adware: visfx
4:13 PM: 526_6200.exe (ID = 303223)
4:18 PM: atmtd.dll (ID = 166754)
4:18 PM: Found Adware: personal money tree
4:18 PM: gbe90qs.exe (ID = 309486)
4:19 PM: 526_620[1].exe (ID = 303223)
4:21 PM: Found Adware: targetsaver
4:21 PM: maxidr[1].avi (ID = 302928)
4:22 PM: installer[2].exe (ID = 231664)
4:22 PM: Found Trojan Horse: trojan-dropper-agenthl
4:22 PM: vsl03.exe (ID = 297448)
4:22 PM: atmtd.dll._ (ID = 166754)
4:22 PM: Found Adware: zquest
4:22 PM: vsl02.exe (ID = 290920)
4:22 PM: Found Adware: zenosearchassistant
4:22 PM: nt68rrtc12.sys (ID = 220230)
4:22 PM: Found Trojan Horse: trojan downloader matcash
4:22 PM: mc-110-12-0000228[1].exe (ID = 294587)
4:22 PM: jiub5f27y.hhy (ID = 276229)
4:22 PM: mc-110-12-0000220.exe (ID = 294587)
4:23 PM: cmdinst.exe (ID = 231664)
4:23 PM: ftuninst.exe (ID = 304355)
4:23 PM: x3cqp0.dll (ID = 304371)
4:23 PM: backup-20060604-221003-852.dll (ID = 304371)
4:24 PM: system32ftuninst.exe (ID = 304355)
4:24 PM: vsl05.exe (ID = 299775)
4:24 PM: msnav32.ax (ID = 220229)
4:24 PM: File Sweep Complete, Elapsed Time: 00:38:14
4:24 PM: Full Sweep has completed. Elapsed time 00:41:17
4:24 PM: Traces Found: 169
4:29 PM: Removal process initiated
4:29 PM: Quarantining All Traces: command
4:29 PM: Quarantining All Traces: linkmaker
4:29 PM: Quarantining All Traces: forethought
4:29 PM: Quarantining All Traces: sysprotect
4:29 PM: Quarantining All Traces: dollarrevenue
4:29 PM: Quarantining All Traces: yieldmanager cookie
4:29 PM: Quarantining All Traces: adecn cookie
4:29 PM: Quarantining All Traces: adknowledge cookie
4:29 PM: Quarantining All Traces: atwola cookie
4:29 PM: Quarantining All Traces: searchingbooth cookie
4:29 PM: Quarantining All Traces: exitexchange cookie
4:29 PM: Quarantining All Traces: clickandtrack cookie
4:29 PM: Quarantining All Traces: screensavers.com cookie
4:29 PM: Quarantining All Traces: top-banners cookie
4:29 PM: Quarantining All Traces: mediaplex cookie
4:29 PM: Quarantining All Traces: nextag cookie
4:29 PM: Quarantining All Traces: realmedia cookie
4:30 PM: Quarantining All Traces: statcounter cookie
4:30 PM: Quarantining All Traces: tacoda cookie
4:30 PM: Quarantining All Traces: visfx
4:30 PM: Quarantining All Traces: personal money tree
4:30 PM: Quarantining All Traces: targetsaver
4:30 PM: Quarantining All Traces: trojan-dropper-agenthl
4:30 PM: Quarantining All Traces: zquest
4:30 PM: Quarantining All Traces: zenosearchassistant
4:30 PM: Quarantining All Traces: trojan downloader matcash
4:30 PM: Removal process completed. Elapsed time 00:01:28
********
3:42 PM: | Start of Session, Wednesday, June 14, 2006 |
3:42 PM: Spy Sweeper started
3:42 PM: Program Version 4.5.9 (Build 709) Using Spyware Definitions 698
3:42 PM: | End of Session, Wednesday, June 14, 2006 |

Hi,
Glad to hear it! SpySweeper has found some really tough baddies! Have you downloaded the Hosts file and placed it in the required folder? Please post back if you get any popups.