What is this???

OK, over the weekend my daughter was doing homework and googling sites to get some information while in AOL. She clicked on this one site that she found and up popped a smaller window that said about.blank at the top in the blue bar with a white page, nothing else. She clicked on the red X and nothing happened. Clicked the Red X of AOL and the box came up that said it was not responding. She ended now and closed out. Went back on and finished her work. I was on today through AOL and clicked on a saved site that my pop up blocker in aol beeped. I have been on this site many times wihout a problem. Once the popup blocker beeped a smaller box came up with about blank in the blue bar then it immediately changed to something that said I had won an I Pd click here to recieve. I closed the window with the red X. Tried google and nothing but google poped up. Tried another site that my pop up blocker beeped and blocked a pop up and a smaller window in the right hand bottom corner of the screenn came up, closed and about blank came up again with that same winning ipod message. I closed it again. It seemed that any site that has any popups at all activates this window. If it is a clean site, like this one, then nothing comes up. I pulled up Internet explorer and went to the same site that had activated this window. Nothing came up, however, when I closed IE the same window about the ipod was underneath IE. Once I close down the window it will not come up again and I can surf no problem. But if I close AOL and go back on again and go to that a site with popups being blocked it reactivates the small window in the bottom right corner, which closes quickly, then the about blank window, then this changes to that ipod winning thing click here. My question is, is this an about blank hijacker? It does not hijack my browser just opens up this window. By the way, the site I clicked on when I noticed this was Michigan State Women's Volleyball. I am runing Mcafee Viruscan, Firewall Plus, a Linksys router with hardfirewall, Microsoft Antispyware with all active processes running, xcleaner, adware se with vx2 addin installed, CCleaner, CWShredder, and Windowx XP w/SP2 all up to date. All spyware are run religiously and CClenaer is run 5 times a day. What is this little window I have coming up?

KM1

 

Sorry about the delayed response, we have been really busy here lately! The little window could be anything, to rule out Malware procede with the following steps.

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Ok here is my hijackthis log. It took me a while to figure out how to do all this so if I made a mistake let me know. By the way, this little popup came right back up after doing a complete reinstall/reformat of my hardrive. Just opened AOL browser, clicked on my favorite "Michigan State Women's Volleyball" (official athletic site for Spartans Volleyball) and right after a popup was blocked by AOL popup blocker this thing popped up. Any help would be appreciated. This thing is now on two machines and I have no idea what it is. No scans have found anything and they were all run in safe mode. Even ran a Panda scan from their website on my own with it not finding anything.

 

Hey, I just downloaded and ran hijackthis on my larger newer computer (bigger CPU, etc.) which has the same problem mentioned in this post. If it would be helpful, I can also attach this log to this post and the two can be compared to see similarities and possibly identify the cause of this nasty little popup. Based on my conversations with Dell Spyware Techs, they have never heard of a popup like this that came back right after a clean reinstall while only updating/downloading Windows XP updates, Mcafee updates, Adaware, CCleaner, CWshredder, Xcleaner, MSAS, all directly through their update features or directly through their addresses typed in. This might be a new nasty little thing. Has not caused a major problem, yet, except for its anoying popping up whenever CCleaner has cleaned its cookie out and I reestablised a connection to a college website that initiates the popup blocker to react. So if you want this other log to help, just let me know.

KM1

 

Your HJT log is clean, I dont see any problems.

Download the following program:

Spy Sweeper 3.5.0.199

After you install, be sure you get all available updates! After you get the updates run a full sweep and remove all found infections.

Afterwards reboot and let me know how things are running.

 

bjgarrick,

I was wondering if you would also take a look at the hijackthis log from my newer computer since it seems to have the same issue with this popup. I will attach it to this reply.

Also, I am not sure I want to download another spyware program like spysweeper, even temporarly, with all that I am running right now. I already have Adaware SE w/VX2 addin, Xblock's Xcleaner spyware scanner/remover (good tool), MSAS uptodate and all active compents running, Mcafee Viruscan / Firewall Plus / & Privacy Service with all their active components popup/web bug/& add blockers, CCleaner, CWshredder, along with hijackthis and a linksys router with a hardware firewall. I have also run Panda's new online virus & spyware scanner. I know that spysweeper is a good program but to add another program into the registry with everyting I've done so far is a little overwhelming. Isn't there any other online scanner I can use that will give the information I need to see if I am clean and tell me what this little bugger is??

Thanks so far, you have been a great help. Attached is the hijackthis log from my other (more important) computer. Any further assistance with this issue on my two computers is of imeasurable value.

KM1

 

No, there isnt any online scan that will do what SpySweeper can do.

This is for the latest log you have posted, from the newest computer.

Please look in Add or Remove Programs for the following and Uninstall them if found:

MyWay or MyWaySA

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\MyWaySA ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete the above REBOOT, Scan with HijackThis and attach the new log.

 

OK, finished. However, couple of things I think I need to make you aware of.

First: After I clicked fix in hijackthis MSAS came up with a warning that my browser start page was about to be changed from myway to about blank. I went into IE in internet options and \clicked the Use Blank button under the main page heading and sure enough about blank is what comes up. So I clicked allow on MSAS's notification. I hope this is OK. Both of my computers have about blank when you click on the use blank button underneath the main page box. Both Machines came this way from Dell. Is this normal to have about blank be one of your options as a main page in IE?

Second: There were three selections you asked me to fix that were not in the hijack this scan. They were the following -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

I am assuming they were taken out when I removed My Way Search Assistant in my add remove programs. By the way, all of this came with my machine from dell right out of the box. I had called them about this on more then one occasion because I noticed that I had a redirect when I first opened IE on my first connection to the internet. This redirect was from dell computer to myway dell computer. All dealt with dells home page. Also, Panda's Scan found this as a possible threat and Dell told me that this was a false positive.

I have been working with Microsoft, Dell, and searching the internet for the possible cause for my intermitent (maybe once a week with daily use) IE hangs and closing because it has encountered a problem on this machine to no avail. Could this have been the problem for the above two errors all along?

I am on my smaller machine for this post. Once I re-scan with hihackthis I will post the log with my next post from the other machine. Thanks again so far. Will ask a couple questions regarding Spysweeper with the next post and log file.

KM1

 

Ok, below is my attached log for my other machine. Wow, sure looks a little shorter. All directions were followed to the letter with the couple of hickups mentioned in the above reply.

As far as spysweeper:

If I download it and use it on a trial basis, that is what I am assuming we will be doing, can I uninstall it completely through add/remove. I mean will it leave reminents of itself all over. That is one of my concerns regarding downloading the trial version. I have deleted all trial versions of software, and there were plenty, that came with my computer and don't want to clutter up my hard drive with stuff unless absolutely necessary, Of course, in this case regarding trying to find that little bugger popup from my original post, it may be necessary.

Also, is there anything on my computer that will conflict with this program that I will need to adjust or turn off. Example: Active components of MSAS or Mcafee Products???

Again, below is the attached log from this computer

 

bjgarrick,

I have been searching a little on that popup that comes up and the original reason for the post. I think that z1.adserver is using the about:blank window in my IE to popup adds like the one mentioned in my post. I noticed on Geeks to go that there are some people haveing similar trouble. The z1.adserver is name of the popup cookie I find in my IE files once it has poped up on my screen. Just some further info.

KM1

 

Yes, its normal to have the button to set it to AB.

Dell is telling people BS, MyWay is a homepage hijacker as should be removed ASAP.


Your HJT log is clean on that other computer you just attatched. Run CCleaner on both computers, reboot into Safe Mode and run it again.

After doing this it should clear out the cookies. Reboot back into Normal Mode and see if the pop comes up still.

 

But I have not changed anything from the first hijackthis log for the first computer. You said it was clean, however, there are several lines with the myway in it. They are set up differently than the log you just cleared as being clean. The log is in my second post at 12:31 posted yesterday at 12:31. Let me know if you want me to clean anything off of this before trying to see if the popup comes up. I will run CCleaner on the computer that was just cleaned, but into safe mode and run it again. I will then wait to see what you want me to do with this computer before checking both regarding the popup.

PS-any information regarding my questions on spysweeper dealing with conflicts of MSAS and Mcafee active components or anything else on my machine. As well as ability to completely remove the trial version from my hard drive once I am finished with it. I have yet to download it and run it on the computer that the log below refers to (nor on the other computer that showed a clean log after fixing it with hijackthis).

 

Your latest HJT log in post #9, where do you see anything that says MyWay?

 

Post #9 is the log from the larger of the two machines after following instructions in your post #7 regarding the log in post #6. The original log I am referring to is in post #3. That log is from the smaller computer and was origninally tagged as clean, however, I did notice (after following your instructions for the larger machine (post #7 about log in post #6) that there were some myway's listed in that log from post #3 which I have left alone to this point per your instructions. In this log the myway's I am referring to are in Line R1 HKCU / Line R1 HKLM & Line R0 HKLM. At the end of these lines they say www.dell4me.com/myway

In review Log from Post #9 and Post #6 are from the same machine but log from post #3 is from my smaller machine. Both machines had that z1.adserver popup going on. Sorry for the confusion. I probably should have finished with one machine first before adding that other log.

Still need some information regarding my questions on spysweeper dealing with conflicts of MSAS and Mcafee active components. As well as ability to completely remove the trial version from my hard drive once I am finished with it. Do you still want me to do this for the machine with log #3?

KM1

 

Run SpySweeper on both machines, but first get the updates. They will not cause conflicts with one another.

Those dell entries are ok as long as MyWay isnt installed like the other. After you run SpySweeper on both machines reboot and see if the popup comes up.

Also, what is your popup blocker set to? It should be on Medium.

 

OK, I will do the spysweeper thing on the smaller machine first and see what I find. Are there any active components of spysweeper I should either disable or enable before I run a scan or download this program. Remember I have MSAS's active components running at this time. Once I do this on my smaller machine and clean anything off that it finds and see if the popup comes up I will post back. If it does not find anything, then the popup is still a problem because I have already tried going to the volleyball site on this smaller machine this evening and it was still poping up. Of course, I have not run spysweeper yet.

My popup blockers on both machines were at medium until that popup started coming up, then I changed them both to high. I will change them both back to medium. When they were on high it did block the cookie z1.adserver from loading and thus the popup form coming up in IE, however, in AOL it did not matter. It came up even with IE popup blocker on high.

I will do all of this tomorrow morning. It is after midnight here, were I am at and I have been working on this issue on and off all day. Thanks again so far, you have been a very big help so far.

KM1

 

It will load on startup and it will have some guards. Like IE guard and things like that, nothing to be concerned about.

 

Ok, I did as you have asked on my smaller machine. I figure I will stay on one machine now until we get this straightened out, then apply the same principles to my other machine since they have the identical popup going on.

I updated spysweeper as soon as I downloaded it. It checked for 90 thousand some odd spyware footprints and found nothing. Everything was clean. Now I did turn off the programs startup feature in msconfig and ran it manually from my desktop. I hope this does not negate the scan. If so let me know and I will run it again. I also ran the scan in normal mode with hidden files exposed, file extensions exposed and hide protected operating system files exposed as well and even with all of this I did not find anything. Do you want me to run the scan again in safe mode?

Also, both of my hijackthis logs were run in normal mode leaving hidden files hidden, or exposing file extensions, or allowing protected operating system files to be exposed. Hope that was OK, just thought I had better let you know in case that was done incorrectly.

What is next, is it possible my system (or both systems) is clean and this is some new adware popup thing that is coming up hoping I click on cancel or next instead of the red circle with X. Not sure what to do from here?

KM1

 

Ok, this is getting frustrating. On both computers it seems that when I select a site that activates my popup blocker, I get a popup window for an advertisement of a free ipod or something. This time instead of z1.adserver at the top it read tribal fusion with an add for a phone. There has got to be something on my both computers even though hijackthis log is clean, MSAS finds nothing, Xcleaner finds nothing, Mcafee viruscan finds nothing, Panda online viruscan finds nothing, and Spysweeper with updates finds nothing. If I run Adware se and VX2 addin after running CCleaner, it also comes up clean. If I don't run CCleaner then it will find the cookies and I can quarentine them but as soon as I go back to a site that activates my popup blocker they will come back. I have even Run all my scans, except for spysweeper, in safe mode and nothing. Ran Spysweeper in normal mode with hidden files exposed, all extensions exposed, and protected operating system files exposed and nothing. Where do I go from here???

KM1

 

Please download DelDomains and unzip it to your desktop. Do not run it yet.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

After you do this on one of the machines, reboot and see if problem remains.

 

Thanks again for all your help. I am at work right now and I will do as you have suggested as soon as I get home. If you can, please check back at around 4:30 CST to see how it went.

KM1

PS-I know you guys are very busy right now and your quick responses have been very much apprectiated.

 

One more thing before I do this. What exactly does deldomains do. Would like to have some info before I run it. Thanks

KM1

 

It removes all domains, whether they be trusted or restricted.

 

I have no domains listed in any of my internet domains. They are all blank. Are some of these sites you are talking about hidden somewhere???

KM1

 

Just install the .inf and see if problem remains. Be sure you reboot after you install the file.

 

bjgarrick,

I would like to thank your for all of your help. I have located a person at SWI Forums that has been able to recreate the same popup on there computer using the same Version of AOL that I have. He is suggesting I download this http://www.mvps.org/winhelp2002/hosts.htm. It is what he had to disable in order to get the popup to come up going to the same site I went to. I do appreciate your help but it was suggested that I stay with one of the two sites instead of both. So again, thank your for all of your help. Who knows I may be back, your site is an awsome benefit to us having spyware problems. You can close this thread. Thanks again.

KM1

 

Good Luck!