virus-massive pop-ups HELP

I have ran avast b4 boot 2 times now and ran ad aware and spybot and i won’t stop getting pop-ups, they pop up even when i am not on the internet, its usually to download a free screensaver or something stupid, but i keep my computer clean and i can’t get rid of whatever it is that has infected my compter, please help

super,

At this point, I would install a pop up blocker until we get things sorted out.
I personally have used HitWare Lite from www.rightutilities.com or Window Shades if you use IE. (search web) Both are effective.

I find Firefox an excellent browser with blocking capabilities as well.

I have not heard of “self-popping” ads that do not feed off the internet, but I will research it.
Let’s try to get the pop ups blocked, then try to find out where they are being generated.

Some things to do:

  1. You can clean out your Temp files and cache for a starter.
  2. If you have a registry cleaner like BeClean, run it also.
  3. Make sure that Adaware and Spybot are up to date and run them again.
  4. Install Hijack This and download the Hijack This Analyzer http://members.home.nl/edeijl/ache/dl.htm
  5. If your using Windows XP, turn off the Messenger Service…look up procedure in Help.

If you can get the name of the site from which the popups originate, we can add them to the WebShield in Avast to block those sites.

For now, that is all I can tell you.

Ahh yes, i have seen this problem before, its one of the more annoying adware out there.

So best thing if you do what Techie101 has suggested, but the most important thing is to post a hijackthis log here, Techie101 gave you the link in the post above to hijackthis.

–lee

Here is my logfile

Logfile of HijackThis v1.99.1
Scan saved at 11:04:50 PM, on 3/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Kacie Houser\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\fpp2037oe.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

at this point you should look through your add/remove programs list to see if there are programs there that are new to you.
i see one that is probably at the heart of your problems C:\Program Files\Media Access\MediaAccK.exe
and there are more as well , as Techie suggested go herehttp://hijackthis.de/index.php and analyse you whole log and" fix" those red entries
good luck :slight_smile:

Hi


THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

r0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
o1 - hosts: 69.20.16.183 auto.search.msn.com
o1 - hosts: 69.20.16.183 search.netscape.com
o1 - hosts: 69.20.16.183 ieautosearch
o4 - HKLM..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
o9 - extra button: weatherbug - {af6cabab-61f9-4f12-a198-b7d41ef1cb52} - c:\program files\aws\weatherbug\weather.exe (file missing) (hkcu)

Run CW-shredder: http://cwshredder.net/bin/CWShredder.exe

Uninstall Media Access from control panel.

Open Task Manager (Alt + Ctrl + Delete), click the processes tab at the top and kill these processes: (if there)

MediaAccK.exe
MediaAccess.exe

Then delete this Folder:

C:\Program Files[b]Media Access[/b]

Then clean all your temp files, there is alot so i suggest you use ccleaner to do this for you: http://www.filehippo.com/download_ccleaner.html

Then reboot your machine

Also there is no active firewall on your system, if you don’t use a hardware one (usually in a router) then i suggest you download a free software one called Zonealarm: http://download.zonelabs.com/bin/free/1012_zl/zlsSetup_55_062_011.exe

Then reboot your machine and redo and repost your hijackthis log so we can confirm your clean.

–lee

thank yo for your help

Logfile of HijackThis v1.99.1
Scan saved at 11:09:08 PM, on 3/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Kacie Houser\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Your log looks better but if you are still having problems you have to say so. if nothings wrong then we cant help you fix it.
perhaps the 3 hosts entries should have gone as well
I see you have installed registry mechanic. I suggest a little caution with that program because it has some drawbacks that go hand in hand with some good useful tools. The spyware detector incorporated into the program is actually spyhunter which has a reputation of being loaded with more spyware than it could ever detect. As long as you dont update the definitions then the program wont activate. If you already have then you may find nasties creeping back into your system. At that point i reccommend you uninstall it. Adaware and spybot should be all you need for this.
good luck

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com

Should be gone, best thing do now then is to download hoster: http://members.aol.com/toadbee/hoster.zip
When it opens, click on the Restore Original Hosts button and then exit Hoster.
Then redo and repost your hijackthis log.

–lee