Microsoft IE Offline Pop-ups

It seems as if your browser was hijacked or something for you to be getting IE popups while offline. Are the offline ones always for the same site?

I don't actually know what you mean by "for the same site" but the pop-ups usually are all the same kinds of advertisements.

I don't actually know what you mean by "for the same site" but the pop-ups usually are all the same kinds of advertisements.

This wont stop the popups, but will help increase your personal control over your own computer and clean up the content in the popups
.
If you can find out where the popups are trying to take you, write down the address, which will probably turn out to be something like: "ads.x10.com" or something. after you compile a large list of these addresses, throw them in your HOSTS file in %system%/System32/drivers/etc folder using this format:

127.0.0.1 www.adbanneraddress.com (thats not a real addy, btw)

what this does is create a kind of DNS "busy signal" for your computer so that everytime the browser is told to go to one of the sites in your HOSTS file, it gets looped back to your local machine instead. done.

I have a rather large hosts file that I'd be willing to give you, you can also get then on the web in different places.

I found that this eliminated one hole through which browser hijackings could occur and proliforate. I hope it helps you.

-gkd

Hi eyeamdaman1

What cscgal is wondering is if they are Messenger pop-ups.......Does Messenger appear at the top of a box with them in. ?

Also if you really want to get your browser and comp sorted out, do this :-

Please Download hijackthis from

http://www.merijn.org/files/hijackthis.zip

Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam

Turn off active scripting or better yet use www.mozilla.com

Im trying to post the log but it won't let me.

Logfile of HijackThis v1.97.7
Scan saved at 7:59:27 PM, on 1/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\SuperBar\sbhc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\Downloaded Program Files\OELoader.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\winservn.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Alset\HelpExpress\Owner\HXIUL.EXE
C:\Program Files\Alset\HelpExpress\Owner\Client\HelpExp.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\editpad.exe
C:\Program Files\Alset\HelpExpress\Owner\HXDL.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Date Manager\DateManager.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\Program Files\Alset\HelpExpress\Owner\Client\PrintMonitor.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\emsw.exe

C:\Program Files\America Online 8.0a\waol.exe
C:\Program Files\America Online 8.0a\shellmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.156\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?newlx (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.webcounter.cc/---/?newlx (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?newlx (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?newlx about:blank (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?newlx (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?newlx (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?newlx (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?newlx (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?newlx about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?newlx (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?newlx (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?newlx (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?newlx (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://searchmyrequest.com/hp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?newlx (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?newlx (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R3 - URLSearchHook: (no name) - - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bhs5xvdn.slt\prefs.js)
O1 - Hosts: 209.132.200.78 auto.search.msn.com
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\System32\expext.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O3 - Toolbar: 7FaSSt Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Program Files\FS\7Search.dll

Trying to finish posting.

O3 - Toolbar: Netster - {856D6A8E-A24C-498A-A55A-2B25C606A6B4} - C:\WINDOWS\DOWNLO~1\Netster.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: SuperBar - {26845B8C-A5E4-40D0-AFC7-D14C60BCF1BF} - C:\Program Files\SuperBar\SuperBar.Dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

Im trying to post the log but it won't let me.

If you want to sharpen that up a little.You can use [BB] code` Just type [] put code in the middle then at the end of the statement put [/] code behind the forward slash.
Example

O3 - Toolbar: Netster - {856D6A8E-A24C-498A-A55A-2B25C606A6B4} - C:\WINDOWS\DOWNLO~1
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

Ok, please clarify your message. What are those codes going to do? I understand you wanting me to do that, but what is the affect?
I just want to paste the rest of the hijackthis log. It's seems to be too big to paste.

HI eyeamdaman1

YOu have loads of malware in there....follow these instructions in the order they are posted...this will clean a lot of it out and cut your log by more than half.

1.
Download and run this program :-

http://www.merijn.org/files/cwshredder.zip
-----
2.
Uninstall HelpExpress and Bargain Buddy from Control panel add/remove programs
-----
3.
Please Download and install SpyBot,

http://security.kolla.de/

click the online tab to search for and download the updates, then shut down and relaunch SpyBot.

Go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, after closing down Internet Explorer, click 'Check for problems', and have SpyBot remove all it finds 'Fix selected problems'

you may have to run spybot more than once to clear everything

Remove everything pre-ticked in Red
-----
4.
download AdAware 6...<<click this.......
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan its just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

Post a new Hijackthis log.....When you click the "save button"...notepad should open with the log in it...save it to your desktop.......go to the saved file and open it.....click "edit"....then "select all"......click "edit" again....click "copy"......right click and "paste" into a new post here.

There will be more to do

steam

Thanx for the help steam but now I can't open any windows without freezing. You asked me to download Adaware6 but everytime I click on the link or access through the address it freezes up and I have to ctrl-alt-delete to end AOL and startup again. This happens to almost any site I try to access. What's weird is I can access Techtalk with no problems. Please help!!!!!!

Boot in to safe mode
Directions: Hit F8 before windowsXP starts. Choose/Highlight SAFE MODE then do one thing at a time for it will be slow. Thats how you safley remove /fix problems.(remember one thing at a time in there)

Note: Highjackthis is was I call a robust tool for the average. I suggest you use Spybot Search & Destroy first then adaware you can delete everything without worry.

Hi eyeamdaman1

Nothing I told you to do should have caused these problems you are having.....

Did you run the shredder ?

Did you run spybot ?

If so ...forget adaware and ....

Post a new Hijackthis log.....When you click the "save button"...notepad should open with the log in it...save it to your desktop.......go to the saved file and open it.....click "edit"....then "select all"......click "edit" again....click "copy"......right click and "paste" into a new post here.

steam

spybot and adaware should be run first ,then hijackthis ,I think

HI caperjack

There is no definite order in which to run these programs.....some say run this first ...some say a different way.

I like to see a hijackthis log first, because if some programs are removed with spybot or adaware, they can cause more problems...Newdotnet (new net domains) is one of these, and should always be removed from the control panel first.

I like to see a hijackthis log to make sure none of these programs are on the computer...then run spybot and (or) adaware to reduce the amount of crap...leaving it easier to see the problems in the HJT log.

steam

sounds good!thanks