Popups! YUCK!

Discussion in 'Malware Help (A Specialist Will Reply)' started by bekka24, Dec 27, 2005.

  1. bekka24

    bekka24 Private E-2

    :eek: I am helping a friend of mine fix his computer. He has all these popups that just keep opening whenever it is on the internet. I have done all the scans in the "read this first" tutorial, but they are still coming up. Please help?

    Thanks!
    Bekka
     
    bekka24, Dec 27, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must follow the directions in the READ & RUN ME. If you have done ALL the steps then read steps 6 & 7 again because you did not do what was requested.
     
    chaslang, Dec 27, 2005
    #2
  3. bekka24

    bekka24 Private E-2

    Sorry for the lack of information included above, it had been a few days since I had gone through the steps and hadn't realized which information I had needed to include.

    I have now gone back and done the steps over. All of the scans in #5 came back clean. One oddity, Adaware SE told me that my definitions were 51 days out of date, however I had downloaded and successfully installed (so I thought) them about 3 days ago. Curious? :confused:

    For step #6, I ran Bitdefender and saved the scan results as a text file as instructed (attached). I also ran the Panda ActiveScan, and it came back clean, however I didn't see how to save a log of the scan results. Sorry about that part.

    For step #7, I will attach the log in a matter of mere moments....Thanks for you help to this point!
     
    bekka24, Dec 30, 2005
    #3
  4. bekka24

    bekka24 Private E-2

    Okay, here is the HJT logfile as well as the Bitdefender log file....see Attached!

    Any help as to how to proceed would be greatly appreciated!

    Thanks,
    Bekka
    :confused:
     

    Attached Files:

    bekka24, Dec 30, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First empty your Norton AntiVirus Quarantine folder.

    Then run the below to disable/remove Windows Messenger:

    Disable/Remove Windows Messenger

    You HJT log is clean. If the above does not help the popups. Do the below steps:
    • Run the steps in the below link and post the Ewido log:
    • Download WinPFind
      • Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
      • When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.
    • Let's get an installed programs list from HijackThis.
      • Run HijackThis, click Open the Misc Tools section
      • Click "Open Uninstall Manager"
      • Click "Save List" (generates uninstall_list.txt)
      • Click Save, to save it to a file where you can find it.
      • Upload this file as an attachment too.
     
    chaslang, Dec 30, 2005
    #5
  6. bekka24

    bekka24 Private E-2

    Thanks for the response!

    Well, I have Run the Disable/Remove Windows Messenger, but the problem continues....

    I downloaded and ran the Ewido (log attached) and it said 9 items were found/quarantined.:eek:
    I ran the WinPFind (log attached).:eek:
    I ran HJT again as that is what the Ewido instructions said to do (log attached), as well as posting also the Uninstall File Manager listing (attached).:eek:

    Thanks Again!
    Bekka
     

    Attached Files:

    bekka24, Jan 1, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Look in Add/Remove progams for ContextPlus and uninstall this.

    Then tell me if the popups stop.

    Do you have any idea what this file is: C:\WINDOWS\SYSTEM32\anssasn1.exe

    And also this C:\WINDOWS\ppgwK which arrived today?
     
    chaslang, Jan 1, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It also looks like you have some startups disabled from loading (based on what is in the WinPfind log). Please run msconfig and select Normal Startup and then reboot. After reboot post a new WinPfind log and a new HJT log.
     
    chaslang, Jan 2, 2006
    #8
  9. bekka24

    bekka24 Private E-2

    Okay...
    I removed "context plus".
    I ran the misconfig and selected normal.
    I have attached the new logs for HJT and WinPfind.
    As for the two programs you mentioned. I don't know what they are, as I said at first I'm helping a friend fix his computer, and while I told him not to use it while I was trying to fix it, he sometimes doesn't listen....But, I don't think he has been using it....so what I'm trying to say is, I don't know what those files are or where they came from.
    Thanks for all your help, Hope the new logs help.
    Bekka
     

    Attached Files:

    bekka24, Jan 2, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Those two items I mentioned
    C:\WINDOWS\SYSTEM32\anssasn1.exe

    C:\WINDOWS\ppgwK

    are gone now. Did you delete them?

    Your HJT log is clean. How are things working now?
     
    chaslang, Jan 2, 2006
    #10
  11. bekka24

    bekka24 Private E-2

    I didn't delete them. I looked for them in the locations that they should be in and I didn't see them. The only thing I deleted was that "context plus" program. I haven't done anything else with the computer before I deleted that, so I don't know what would have caused two files to appear and then disappear. Do you know what kind of files they are? (ie. should I be worried?) There is a wireless network in the house, however there haven't been any other computers hooked up to it for about 2 months. The computer that has the problem is the host computer, and I'm not sure if the network is protected (as it is not my computer). If it is not a password protected network, and someone else is using the connection, could this be causing the problem?

    I haven't had the popup problem since deleting the "context plus" program, however when I did the misconfig and now my computer is slow at startup because it seems to be loading a lot of programs (the ones that are minimized at the bottom right of the screen next to the clock), and I think most of them are unnecessary.

    I was reading another post, where there was a link to something like a "startup control panel" program that would help you clean up the programs that were automatically started when you started the computer. Could you please post a link to that here if you think it would be helpful. My friend always complains about how slow his computer is and I think that doing some routine cleanup/maintenance would help improve how quickly it works. If you have any tips on that could you please share them or post a link here as well.

    Thanks for all your help!
    Bekka
     
    bekka24, Jan 2, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Startup CPL is a better choice than using msconfig but let's first remove things that do never need to load at startup and then also anything that you may no longer need. For example, you do not need to have both Ewido and MS Antispyware. If you are not going to buy Ewido, I would use only MS Antispyware and uninstall Ewido. Also I would not personally use any of the AOL Antispware or antivirus stuff but that is up to you. Just let me know what you want to do but I would not keep all of them loading and running.

    This next 3 lines can be fixed with HJT as they are not required to run at startup and just slow you down and waste resources. So fix them.
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    This next line is use to automatically look for updates to Microsoft Picture-It everytime you boot up. Do you really want this? I wouldn't.
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

    This next one is not needed but a convience feature. See: http://www.liutilities.com/products/wintaskspro/processlibrary/igfxtray/ and then decide if you want or need to ever use it.
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

    For the next Sound Blaster process see:
    http://www.liutilities.com/products/wintaskspro/processlibrary/diagent/
    Then decide if you need it.
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

    As I said before, I would not use AOL Spyware Prot.
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

    The next line is related to Microsoft Money and is not essential to the operation of your system. MS Money should work without this being loaded at startup. Do you need this?
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

    Oh and perhaps those two other items were related to ContextPlus and when uninstalled they were deleted.
     
    chaslang, Jan 2, 2006
    #12
  13. bekka24

    bekka24 Private E-2

    Okay, I'm going to clean the stuff that was suggested. Still don't know about those two files???? :confused: Oh well! We don't even use AOL anymore, he only used it because he had a subscription which was paid for by his father, but his father cancelled, so now it's just internet explorer and comcast (the cable provider), however I don't know how to uninstall all of AOL's components. As for Ewido, no I don't think he's going to purchase it, however Comcast offers a free service McAfee Antivirus. What do you think of this vs. Microsoft Antispyware? Obviously only one is needed, so whichever one you think is best is the one we are going to use.

    As for Intel Graphics configuration, I don't even know what programs that is used for. Don't know anything about Creative Sound Blaster's uses either. As for all the other programs, I don't care anything about whether those run at startup. So I will delete those, and wait for more input about the other items.

    Thanks!
    Bekka
     
    bekka24, Jan 3, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What two files? Did you read the last sentence of my previous message?

    You uninstall AOL like any other program.....use Add/Remove programs under Control Panel.

    McAfee Antivius is not the same thing as MS Antispyware. One is antivirus and one is antispyware. McAfee can be a resource hog.

    Input from who? This is not a topic for the malware forum.
     
    chaslang, Jan 3, 2006
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds