Chinese Pop up

Hi, i've been getting this pop up in chinese even though i have installed 2 adware programs n 2 popup blockers, my pop up blockers is very effective but they cant seem to block this one. I've checked the add/remove programs but there doesnt seem to be any new programs. It also sometimes appears even though i m not opening a browser so i feel like it may nt be linked to internet explorer. Is there any way i can find the source of this pop up n disable it? Any help would be greatly appreciated, thanks!

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Hi, thanks a lot for the reply! attached is the log file.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

My Search

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

urtclsvc.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O1 - Hosts: 172.19.31.56 http://v4.windowsupdate.microsoft.com

O2 - BHO: ReviseHelper Class - {749D1D7D-1969-4014-A98D-9E867E7508D0} - C:\Progra~1\8848\MySearch\0.9.7.2\PageRevisor.dll

O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)

O11 - Options group: [!MySearch] ËÑË÷ÖúÊÖ(MySearch)

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {86BC8440-8693-4076-A144-6BAF942B40B0} (RegMore Class) - http://mysearch.8848.com/mysearch/MySearch.CAB
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O23 - Service: URT Client Service (urtclientservice) - Unknown owner - C:\WINDOWS\system32\urtclsvc.exe

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\My Search ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\urtclsvc.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Hi, thanks a lot for the instructions! i was able to delete the folder mysearch during safe mode but when i m back in normal mode its there again n the pop up still appears. i attached the log file here. I didnt delete the following

O1 - Hosts: 172.19.31.56 http://v4.windowsupdate.microsoft.com -> my windows update, i didnt dare to delete it

O23 - Service: URT Client Service (urtclientservice) - Unknown owner - C:\WINDOWS\system32\urtclsvc.exe -> this i believe is related to my use of cisco wireless card so i didnt delete it either

Thanks!

 

Just out of curiosity mate, what popup blocker do u use?
I have on called Pop-oops, and its useless as two tits on a bull, lmao. so ya, which 2, and which adware remover also? thanks

 

its called panicware pop up stopper, n i tink my internet explorer also has a pop up blocker n i use spybot n adaware SE personal.

 

Pop-up blocker, WinXP SP2 has a built in one, I use this one and never had a problem. Most users here use Pop-Up Stopper Free Edition 3.1.1012

 

Remove this entry, if I tell you to remove it then its bad! Nothing should be listed in your HOST file. (O1 Entries)

Also, the O23 entry (service) urtclsvc.exe is related to the Cisco Secure User Registration Tool.

Allow me a moment to check your new log.

 

First:
Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Second:

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: ReviseHelper Class - {749D1D7D-1969-4014-A98D-9E867E7508D0} - C:\Progra~1\8848\MySearch\0.9.6.6\PageRevisor.dll

O11 - Options group: [!MySearch] ËÑË÷ÖúÊÖ(MySearch)

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab

O18 - Filter: text/html - {65CBAF77-19CA-4B81-86D5-7835D59BEA85} - C:\WINDOWS\system32\SoMp3.dll

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\8848 ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\SoMp3.dll


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new

 

Hi, thanks for the reply. I followed the instructions n the folder is now gone, i havent seen any pop ups so far, hopefully its ok now. attached is the log file. Thanks again!

 

Log is clean!

Are you having any further problems?

 

Hi, nope so far so good. Thanks a lot for the help

 

Great!

You should see this article on How to Protect yourself from malware!

Browse Safely!